Compare commits
No commits in common. "c8" and "c10s" have entirely different histories.
1
.gitignore
vendored
1
.gitignore
vendored
@ -1 +0,0 @@
|
|||||||
SOURCES/Pillow-5.1.1.tar.gz
|
|
@ -1 +0,0 @@
|
|||||||
2120f1bbf8d39cb0f1a5a50fb79b993e8b75851c SOURCES/Pillow-5.1.1.tar.gz
|
|
@ -1,42 +0,0 @@
|
|||||||
From b78ede45a294b567d27d7198ff3354df86a5b7f1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lumir Balhar <lbalhar@redhat.com>
|
|
||||||
Date: Tue, 11 Sep 2018 15:58:31 +0200
|
|
||||||
Subject: [PATCH 1/2] Fix potential un-terminated buffer problem (CWE-120)
|
|
||||||
|
|
||||||
---
|
|
||||||
src/libImaging/Histo.c | 4 +++-
|
|
||||||
src/libImaging/Palette.c | 3 ++-
|
|
||||||
2 files changed, 5 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/libImaging/Histo.c b/src/libImaging/Histo.c
|
|
||||||
index 0bfc8dfe..2b35873e 100644
|
|
||||||
--- a/src/libImaging/Histo.c
|
|
||||||
+++ b/src/libImaging/Histo.c
|
|
||||||
@@ -41,7 +41,9 @@ ImagingHistogramNew(Imaging im)
|
|
||||||
|
|
||||||
/* Create histogram descriptor */
|
|
||||||
h = calloc(1, sizeof(struct ImagingHistogramInstance));
|
|
||||||
- strncpy(h->mode, im->mode, IMAGING_MODE_LENGTH);
|
|
||||||
+ strncpy(h->mode, im->mode, IMAGING_MODE_LENGTH-1);
|
|
||||||
+ h->mode[IMAGING_MODE_LENGTH-1] = 0;
|
|
||||||
+
|
|
||||||
h->bands = im->bands;
|
|
||||||
h->histogram = calloc(im->pixelsize, 256 * sizeof(long));
|
|
||||||
|
|
||||||
diff --git a/src/libImaging/Palette.c b/src/libImaging/Palette.c
|
|
||||||
index 31c2c024..7aee6e8e 100644
|
|
||||||
--- a/src/libImaging/Palette.c
|
|
||||||
+++ b/src/libImaging/Palette.c
|
|
||||||
@@ -37,7 +37,8 @@ ImagingPaletteNew(const char* mode)
|
|
||||||
if (!palette)
|
|
||||||
return (ImagingPalette) ImagingError_MemoryError();
|
|
||||||
|
|
||||||
- strncpy(palette->mode, mode, IMAGING_MODE_LENGTH);
|
|
||||||
+ strncpy(palette->mode, mode, IMAGING_MODE_LENGTH-1);
|
|
||||||
+ palette->mode[IMAGING_MODE_LENGTH-1] = 0;
|
|
||||||
|
|
||||||
/* Initialize to ramp */
|
|
||||||
for (i = 0; i < 256; i++) {
|
|
||||||
--
|
|
||||||
2.17.1
|
|
||||||
|
|
@ -1,258 +0,0 @@
|
|||||||
From 6adac809e96c8bfeb50a3bd14570a8118bcd5d65 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lumir Balhar <lbalhar@redhat.com>
|
|
||||||
Date: Thu, 13 Sep 2018 12:22:11 +0200
|
|
||||||
Subject: [PATCH 2/2] Fix potential leaked storage issues (CWE-772)
|
|
||||||
|
|
||||||
---
|
|
||||||
src/Tk/tkImaging.c | 2 ++
|
|
||||||
src/_imaging.c | 15 +++++++++++++--
|
|
||||||
src/encode.c | 12 +++++++++---
|
|
||||||
src/libImaging/Histo.c | 12 +++++++++---
|
|
||||||
src/libImaging/Quant.c | 2 ++
|
|
||||||
src/libImaging/QuantOctree.c | 1 +
|
|
||||||
src/libImaging/Resample.c | 2 ++
|
|
||||||
src/path.c | 8 ++++++--
|
|
||||||
8 files changed, 44 insertions(+), 10 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/Tk/tkImaging.c b/src/Tk/tkImaging.c
|
|
||||||
index f448be16..10090b0e 100644
|
|
||||||
--- a/src/Tk/tkImaging.c
|
|
||||||
+++ b/src/Tk/tkImaging.c
|
|
||||||
@@ -442,6 +442,7 @@ int load_tkinter_funcs(void)
|
|
||||||
/* Try loading from the main program namespace first */
|
|
||||||
main_program = dlopen(NULL, RTLD_LAZY);
|
|
||||||
if (_func_loader(main_program) == 0) {
|
|
||||||
+ dlclose(main_program);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
/* Clear exception triggered when we didn't find symbols above */
|
|
||||||
@@ -470,6 +471,7 @@ int load_tkinter_funcs(void)
|
|
||||||
/* dlclose probably safe because tkinter has been imported. */
|
|
||||||
dlclose(tkinter_lib);
|
|
||||||
exit:
|
|
||||||
+ dlclose(main_program);
|
|
||||||
Py_XDECREF(pModule);
|
|
||||||
Py_XDECREF(pString);
|
|
||||||
return ret;
|
|
||||||
diff --git a/src/_imaging.c b/src/_imaging.c
|
|
||||||
index 11f5f6ea..445470bf 100644
|
|
||||||
--- a/src/_imaging.c
|
|
||||||
+++ b/src/_imaging.c
|
|
||||||
@@ -856,8 +856,10 @@ _gaussian_blur(ImagingObject* self, PyObject* args)
|
|
||||||
if (!imOut)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
- if (!ImagingGaussianBlur(imOut, imIn, radius, passes))
|
|
||||||
+ if (!ImagingGaussianBlur(imOut, imIn, radius, passes)) {
|
|
||||||
+ ImagingDelete(imOut);
|
|
||||||
return NULL;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
return PyImagingNew(imOut);
|
|
||||||
}
|
|
||||||
@@ -1745,8 +1747,10 @@ _box_blur(ImagingObject* self, PyObject* args)
|
|
||||||
if (!imOut)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
- if (!ImagingBoxBlur(imOut, imIn, radius, n))
|
|
||||||
+ if (!ImagingBoxBlur(imOut, imIn, radius, n)) {
|
|
||||||
+ ImagingDelete(imOut);
|
|
||||||
return NULL;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
return PyImagingNew(imOut);
|
|
||||||
}
|
|
||||||
@@ -2386,6 +2390,7 @@ _draw_arc(ImagingDrawObject* self, PyObject* args)
|
|
||||||
return NULL;
|
|
||||||
if (n != 2) {
|
|
||||||
PyErr_SetString(PyExc_TypeError, must_be_two_coordinates);
|
|
||||||
+ free(xy);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -2423,6 +2428,7 @@ _draw_bitmap(ImagingDrawObject* self, PyObject* args)
|
|
||||||
PyErr_SetString(PyExc_TypeError,
|
|
||||||
"coordinate list must contain exactly 1 coordinate"
|
|
||||||
);
|
|
||||||
+ free(xy);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -2458,6 +2464,7 @@ _draw_chord(ImagingDrawObject* self, PyObject* args)
|
|
||||||
return NULL;
|
|
||||||
if (n != 2) {
|
|
||||||
PyErr_SetString(PyExc_TypeError, must_be_two_coordinates);
|
|
||||||
+ free(xy);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -2493,6 +2500,7 @@ _draw_ellipse(ImagingDrawObject* self, PyObject* args)
|
|
||||||
return NULL;
|
|
||||||
if (n != 2) {
|
|
||||||
PyErr_SetString(PyExc_TypeError, must_be_two_coordinates);
|
|
||||||
+ free(xy);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -2674,6 +2682,7 @@ _draw_pieslice(ImagingDrawObject* self, PyObject* args)
|
|
||||||
return NULL;
|
|
||||||
if (n != 2) {
|
|
||||||
PyErr_SetString(PyExc_TypeError, must_be_two_coordinates);
|
|
||||||
+ free(xy);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -2712,6 +2721,7 @@ _draw_polygon(ImagingDrawObject* self, PyObject* args)
|
|
||||||
PyErr_SetString(PyExc_TypeError,
|
|
||||||
"coordinate list must contain at least 2 coordinates"
|
|
||||||
);
|
|
||||||
+ free(xy);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -2754,6 +2764,7 @@ _draw_rectangle(ImagingDrawObject* self, PyObject* args)
|
|
||||||
return NULL;
|
|
||||||
if (n != 2) {
|
|
||||||
PyErr_SetString(PyExc_TypeError, must_be_two_coordinates);
|
|
||||||
+ free(xy);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/src/encode.c b/src/encode.c
|
|
||||||
index ae4277c0..9f7c6592 100644
|
|
||||||
--- a/src/encode.c
|
|
||||||
+++ b/src/encode.c
|
|
||||||
@@ -552,11 +552,15 @@ PyImaging_ZipEncoderNew(PyObject* self, PyObject* args)
|
|
||||||
dictionary = NULL;
|
|
||||||
|
|
||||||
encoder = PyImaging_EncoderNew(sizeof(ZIPSTATE));
|
|
||||||
- if (encoder == NULL)
|
|
||||||
+ if (encoder == NULL) {
|
|
||||||
+ free(dictionary);
|
|
||||||
return NULL;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- if (get_packer(encoder, mode, rawmode) < 0)
|
|
||||||
+ if (get_packer(encoder, mode, rawmode) < 0) {
|
|
||||||
+ free(dictionary);
|
|
||||||
return NULL;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
encoder->encode = ImagingZipEncode;
|
|
||||||
encoder->cleanup = ImagingZipEncodeCleanup;
|
|
||||||
@@ -717,8 +721,10 @@ PyImaging_JpegEncoderNew(PyObject* self, PyObject* args)
|
|
||||||
if (rawExif && rawExifLen > 0) {
|
|
||||||
/* malloc check ok, length is from python parsearg */
|
|
||||||
char* pp = malloc(rawExifLen); // Freed in JpegEncode, Case 5
|
|
||||||
- if (!pp)
|
|
||||||
+ if (!pp) {
|
|
||||||
+ if (extra) free(extra);
|
|
||||||
return PyErr_NoMemory();
|
|
||||||
+ }
|
|
||||||
memcpy(pp, rawExif, rawExifLen);
|
|
||||||
rawExif = pp;
|
|
||||||
} else
|
|
||||||
diff --git a/src/libImaging/Histo.c b/src/libImaging/Histo.c
|
|
||||||
index 2b35873e..b7c1a983 100644
|
|
||||||
--- a/src/libImaging/Histo.c
|
|
||||||
+++ b/src/libImaging/Histo.c
|
|
||||||
@@ -82,8 +82,10 @@ ImagingGetHistogram(Imaging im, Imaging imMask, void* minmax)
|
|
||||||
h->histogram[im->image8[y][x]]++;
|
|
||||||
ImagingSectionLeave(&cookie);
|
|
||||||
} else { /* yes, we need the braces. C isn't Python! */
|
|
||||||
- if (im->type != IMAGING_TYPE_UINT8)
|
|
||||||
+ if (im->type != IMAGING_TYPE_UINT8) {
|
|
||||||
+ ImagingHistogramDelete(h);
|
|
||||||
return ImagingError_ModeError();
|
|
||||||
+ }
|
|
||||||
ImagingSectionEnter(&cookie);
|
|
||||||
for (y = 0; y < im->ysize; y++) {
|
|
||||||
UINT8* in = (UINT8*) im->image32[y];
|
|
||||||
@@ -122,8 +124,10 @@ ImagingGetHistogram(Imaging im, Imaging imMask, void* minmax)
|
|
||||||
ImagingSectionLeave(&cookie);
|
|
||||||
break;
|
|
||||||
case IMAGING_TYPE_INT32:
|
|
||||||
- if (!minmax)
|
|
||||||
+ if (!minmax) {
|
|
||||||
+ ImagingHistogramDelete(h);
|
|
||||||
return ImagingError_ValueError("min/max not given");
|
|
||||||
+ }
|
|
||||||
if (!im->xsize || !im->ysize)
|
|
||||||
break;
|
|
||||||
imin = ((INT32*) minmax)[0];
|
|
||||||
@@ -143,8 +147,10 @@ ImagingGetHistogram(Imaging im, Imaging imMask, void* minmax)
|
|
||||||
ImagingSectionLeave(&cookie);
|
|
||||||
break;
|
|
||||||
case IMAGING_TYPE_FLOAT32:
|
|
||||||
- if (!minmax)
|
|
||||||
+ if (!minmax) {
|
|
||||||
+ ImagingHistogramDelete(h);
|
|
||||||
return ImagingError_ValueError("min/max not given");
|
|
||||||
+ }
|
|
||||||
if (!im->xsize || !im->ysize)
|
|
||||||
break;
|
|
||||||
fmin = ((FLOAT32*) minmax)[0];
|
|
||||||
diff --git a/src/libImaging/Quant.c b/src/libImaging/Quant.c
|
|
||||||
index df313816..b94dc6e1 100644
|
|
||||||
--- a/src/libImaging/Quant.c
|
|
||||||
+++ b/src/libImaging/Quant.c
|
|
||||||
@@ -568,6 +568,8 @@ split(BoxNode *node)
|
|
||||||
left=malloc(sizeof(BoxNode));
|
|
||||||
right=malloc(sizeof(BoxNode));
|
|
||||||
if (!left||!right) {
|
|
||||||
+ free(left);
|
|
||||||
+ free(right);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
for(i=0;i<3;i++) {
|
|
||||||
diff --git a/src/libImaging/QuantOctree.c b/src/libImaging/QuantOctree.c
|
|
||||||
index e18ab3c6..d778c942 100644
|
|
||||||
--- a/src/libImaging/QuantOctree.c
|
|
||||||
+++ b/src/libImaging/QuantOctree.c
|
|
||||||
@@ -470,6 +470,7 @@ error:
|
|
||||||
free(qp);
|
|
||||||
free_color_cube(lookupCube);
|
|
||||||
free_color_cube(coarseLookupCube);
|
|
||||||
+ free(paletteBuckets);
|
|
||||||
free(paletteBucketsCoarse);
|
|
||||||
free(paletteBucketsFine);
|
|
||||||
free_color_cube(coarseCube);
|
|
||||||
diff --git a/src/libImaging/Resample.c b/src/libImaging/Resample.c
|
|
||||||
index cda005d9..b90395e8 100644
|
|
||||||
--- a/src/libImaging/Resample.c
|
|
||||||
+++ b/src/libImaging/Resample.c
|
|
||||||
@@ -538,6 +538,8 @@ ImagingResampleInner(Imaging imIn, int xsize, int ysize,
|
|
||||||
if ( ! ksize_vert) {
|
|
||||||
free(bounds_horiz);
|
|
||||||
free(kk_horiz);
|
|
||||||
+ free(bounds_vert);
|
|
||||||
+ free(kk_vert);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/src/path.c b/src/path.c
|
|
||||||
index b56ea838..5984a3d1 100644
|
|
||||||
--- a/src/path.c
|
|
||||||
+++ b/src/path.c
|
|
||||||
@@ -82,12 +82,16 @@ path_new(Py_ssize_t count, double* xy, int duplicate)
|
|
||||||
xy = p;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (PyType_Ready(&PyPathType) < 0)
|
|
||||||
+ if (PyType_Ready(&PyPathType) < 0) {
|
|
||||||
+ free(xy);
|
|
||||||
return NULL;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
path = PyObject_New(PyPathObject, &PyPathType);
|
|
||||||
- if (path == NULL)
|
|
||||||
+ if (path == NULL) {
|
|
||||||
+ free(xy);
|
|
||||||
return NULL;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
path->count = count;
|
|
||||||
path->xy = xy;
|
|
||||||
--
|
|
||||||
2.17.1
|
|
||||||
|
|
@ -1,50 +0,0 @@
|
|||||||
From e705cd1476f04a918aae34f638b502116cb12eba Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jon Dufresne <jon.dufresne@gmail.com>
|
|
||||||
Date: Tue, 3 Apr 2018 20:36:09 -0700
|
|
||||||
Subject: [PATCH] Fix dereferencing type-punned pointer will break
|
|
||||||
strict-aliasing
|
|
||||||
|
|
||||||
Compiler warning appeared as:
|
|
||||||
|
|
||||||
src/path.c:574:22: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
|
|
||||||
Py_TYPE(&item)->tp_name);
|
|
||||||
^~~~~~~
|
|
||||||
|
|
||||||
As item is already of type PyObject*, and the Py_TYPE macro is
|
|
||||||
equivalent to (((PyObject*)(o))->ob_type), no need for the dereference.
|
|
||||||
|
|
||||||
https://docs.python.org/3/c-api/structures.html#c.Py_TYPE
|
|
||||||
---
|
|
||||||
Tests/test_imagepath.py | 5 +++++
|
|
||||||
src/path.c | 2 +-
|
|
||||||
2 files changed, 6 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/Tests/test_imagepath.py b/Tests/test_imagepath.py
|
|
||||||
index 14cc4d14b..98a6d3416 100644
|
|
||||||
--- a/Tests/test_imagepath.py
|
|
||||||
+++ b/Tests/test_imagepath.py
|
|
||||||
@@ -17,6 +17,11 @@ def test_path(self):
|
|
||||||
self.assertEqual(p[0], (0.0, 1.0))
|
|
||||||
self.assertEqual(p[-1], (8.0, 9.0))
|
|
||||||
self.assertEqual(list(p[:1]), [(0.0, 1.0)])
|
|
||||||
+ with self.assertRaises(TypeError) as cm:
|
|
||||||
+ p['foo']
|
|
||||||
+ self.assertEqual(
|
|
||||||
+ str(cm.exception),
|
|
||||||
+ "Path indices must be integers, not str")
|
|
||||||
self.assertEqual(
|
|
||||||
list(p),
|
|
||||||
[(0.0, 1.0), (2.0, 3.0), (4.0, 5.0), (6.0, 7.0), (8.0, 9.0)])
|
|
||||||
diff --git a/src/path.c b/src/path.c
|
|
||||||
index b56ea838e..d1c18c8ed 100644
|
|
||||||
--- a/src/path.c
|
|
||||||
+++ b/src/path.c
|
|
||||||
@@ -571,7 +571,7 @@ path_subscript(PyPathObject* self, PyObject* item) {
|
|
||||||
else {
|
|
||||||
PyErr_Format(PyExc_TypeError,
|
|
||||||
"Path indices must be integers, not %.200s",
|
|
||||||
- Py_TYPE(&item)->tp_name);
|
|
||||||
+ Py_TYPE(item)->tp_name);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,56 +0,0 @@
|
|||||||
From f91c78960495efa04c7f12eeb916158d4bfbabc4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lumir Balhar <lbalhar@redhat.com>
|
|
||||||
Date: Mon, 13 Jul 2020 15:40:11 +0200
|
|
||||||
Subject: [PATCH] CVE-2020-11538
|
|
||||||
|
|
||||||
---
|
|
||||||
src/libImaging/SgiRleDecode.c | 8 ++++++--
|
|
||||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
|
|
||||||
index 6367ae7..eb8fc84 100644
|
|
||||||
--- a/src/libImaging/SgiRleDecode.c
|
|
||||||
+++ b/src/libImaging/SgiRleDecode.c
|
|
||||||
@@ -28,6 +28,7 @@ static void read4B(UINT32* dest, UINT8* buf)
|
|
||||||
static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
|
|
||||||
{
|
|
||||||
UINT8 pixel, count;
|
|
||||||
+ int x = 0;
|
|
||||||
|
|
||||||
for (;n > 0; n--)
|
|
||||||
{
|
|
||||||
@@ -37,9 +38,10 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
|
|
||||||
count = pixel & RLE_MAX_RUN;
|
|
||||||
if (!count)
|
|
||||||
return count;
|
|
||||||
- if (count > xsize) {
|
|
||||||
+ if (x + count > xsize) {
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
+ x += count;
|
|
||||||
if (pixel & RLE_COPY_FLAG) {
|
|
||||||
while(count--) {
|
|
||||||
*dest = *src++;
|
|
||||||
@@ -63,6 +65,7 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)
|
|
||||||
{
|
|
||||||
UINT8 pixel, count;
|
|
||||||
|
|
||||||
+ int x = 0;
|
|
||||||
|
|
||||||
for (;n > 0; n--)
|
|
||||||
{
|
|
||||||
@@ -73,9 +76,10 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)
|
|
||||||
count = pixel & RLE_MAX_RUN;
|
|
||||||
if (!count)
|
|
||||||
return count;
|
|
||||||
- if (count > xsize) {
|
|
||||||
+ if (x + count > xsize) {
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
+ x += count;
|
|
||||||
if (pixel & RLE_COPY_FLAG) {
|
|
||||||
while(count--) {
|
|
||||||
*dest = *src++;
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,41 +0,0 @@
|
|||||||
From 7a0aea5806d57e0e7c5187fbc9c2937a16e0bca1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Eric Soroos <eric-github@soroos.net>
|
|
||||||
Date: Thu, 17 Dec 2020 00:17:53 +0100
|
|
||||||
Subject: [PATCH] Fix for CVE CVE-2020-35655 - Read Overflow in PCX Decoding.
|
|
||||||
|
|
||||||
* Don't trust the image to specify a buffer size
|
|
||||||
---
|
|
||||||
src/PIL/PcxImagePlugin.py | 9 +++++++--
|
|
||||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/PIL/PcxImagePlugin.py b/src/PIL/PcxImagePlugin.py
|
|
||||||
index 564713a..17bbd18 100644
|
|
||||||
--- a/src/PIL/PcxImagePlugin.py
|
|
||||||
+++ b/src/PIL/PcxImagePlugin.py
|
|
||||||
@@ -63,9 +63,9 @@ class PcxImageFile(ImageFile.ImageFile):
|
|
||||||
version = i8(s[1])
|
|
||||||
bits = i8(s[3])
|
|
||||||
planes = i8(s[65])
|
|
||||||
- stride = i16(s, 66)
|
|
||||||
+ ignored_stride = i16(s, 66)
|
|
||||||
logger.debug("PCX version %s, bits %s, planes %s, stride %s",
|
|
||||||
- version, bits, planes, stride)
|
|
||||||
+ version, bits, planes, ignored_stride)
|
|
||||||
|
|
||||||
self.info["dpi"] = i16(s, 12), i16(s, 14)
|
|
||||||
|
|
||||||
@@ -102,6 +102,11 @@ class PcxImageFile(ImageFile.ImageFile):
|
|
||||||
self.mode = mode
|
|
||||||
self.size = bbox[2]-bbox[0], bbox[3]-bbox[1]
|
|
||||||
|
|
||||||
+ # don't trust the passed in stride. Calculate for ourselves.
|
|
||||||
+ # CVE-2020-35653
|
|
||||||
+ stride = (self.size[0] * bits + 7) // 8
|
|
||||||
+ stride += stride % 2
|
|
||||||
+
|
|
||||||
bbox = (0, 0) + self.size
|
|
||||||
logger.debug("size: %sx%s", *self.size)
|
|
||||||
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
@ -1,136 +0,0 @@
|
|||||||
From f276de1139ec16395dc8b382860fb58e331fbd53 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Eric Soroos <eric-github@soroos.net>
|
|
||||||
Date: Thu, 29 Oct 2020 23:07:15 +0000
|
|
||||||
Subject: [PATCH 1/2] Fix for SGI Decode buffer overrun CVE-2020-35655
|
|
||||||
|
|
||||||
* Independently found by a contributor and sent to Tidelift, and by Google's OSS Fuzz.
|
|
||||||
---
|
|
||||||
src/libImaging/SgiRleDecode.c | 23 ++++++++++++++++-------
|
|
||||||
1 file changed, 16 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
|
|
||||||
index eb8fc84..c256169 100644
|
|
||||||
--- a/src/libImaging/SgiRleDecode.c
|
|
||||||
+++ b/src/libImaging/SgiRleDecode.c
|
|
||||||
@@ -107,11 +107,27 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
|
||||||
int err = 0;
|
|
||||||
int status;
|
|
||||||
|
|
||||||
+ /* size check */
|
|
||||||
+ if (im->xsize > INT_MAX / im->bands ||
|
|
||||||
+ im->ysize > INT_MAX / im->bands) {
|
|
||||||
+ return IMAGING_CODEC_MEMORY;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* Get all data from File descriptor */
|
|
||||||
c = (SGISTATE*)state->context;
|
|
||||||
_imaging_seek_pyFd(state->fd, 0L, SEEK_END);
|
|
||||||
c->bufsize = _imaging_tell_pyFd(state->fd);
|
|
||||||
c->bufsize -= SGI_HEADER_SIZE;
|
|
||||||
+
|
|
||||||
+ c->tablen = im->bands * im->ysize;
|
|
||||||
+ /* below, we populate the starttab and lentab into the bufsize,
|
|
||||||
+ each with 4 bytes per element of tablen
|
|
||||||
+ Check here before we allocate any memory
|
|
||||||
+ */
|
|
||||||
+ if (c->bufsize < 8*c->tablen) {
|
|
||||||
+ return IMAGING_CODEC_MEMORY;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ptr = malloc(sizeof(UINT8) * c->bufsize);
|
|
||||||
if (!ptr) {
|
|
||||||
return IMAGING_CODEC_MEMORY;
|
|
||||||
@@ -129,18 +145,11 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
|
||||||
state->ystep = 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (im->xsize > INT_MAX / im->bands ||
|
|
||||||
- im->ysize > INT_MAX / im->bands) {
|
|
||||||
- err = IMAGING_CODEC_MEMORY;
|
|
||||||
- goto sgi_finish_decode;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
/* Allocate memory for RLE tables and rows */
|
|
||||||
free(state->buffer);
|
|
||||||
state->buffer = NULL;
|
|
||||||
/* malloc overflow check above */
|
|
||||||
state->buffer = calloc(im->xsize * im->bands, sizeof(UINT8) * 2);
|
|
||||||
- c->tablen = im->bands * im->ysize;
|
|
||||||
c->starttab = calloc(c->tablen, sizeof(UINT32));
|
|
||||||
c->lengthtab = calloc(c->tablen, sizeof(UINT32));
|
|
||||||
if (!state->buffer ||
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
||||||
From 18aa14484fa63dabcafea63cf0b7bfb4066e979c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Eric Soroos <eric-github@soroos.net>
|
|
||||||
Date: Fri, 30 Oct 2020 09:57:23 +0000
|
|
||||||
Subject: [PATCH 2/2] Make the SGI code return -1 as an error flag, error in
|
|
||||||
state
|
|
||||||
|
|
||||||
---
|
|
||||||
src/libImaging/SgiRleDecode.c | 16 ++++++++++------
|
|
||||||
1 file changed, 10 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
|
|
||||||
index c256169..2259159 100644
|
|
||||||
--- a/src/libImaging/SgiRleDecode.c
|
|
||||||
+++ b/src/libImaging/SgiRleDecode.c
|
|
||||||
@@ -110,7 +110,8 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
|
||||||
/* size check */
|
|
||||||
if (im->xsize > INT_MAX / im->bands ||
|
|
||||||
im->ysize > INT_MAX / im->bands) {
|
|
||||||
- return IMAGING_CODEC_MEMORY;
|
|
||||||
+ state->errcode = IMAGING_CODEC_MEMORY;
|
|
||||||
+ return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Get all data from File descriptor */
|
|
||||||
@@ -125,12 +126,14 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
|
||||||
Check here before we allocate any memory
|
|
||||||
*/
|
|
||||||
if (c->bufsize < 8*c->tablen) {
|
|
||||||
- return IMAGING_CODEC_MEMORY;
|
|
||||||
+ state->errcode = IMAGING_CODEC_OVERRUN;
|
|
||||||
+ return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
ptr = malloc(sizeof(UINT8) * c->bufsize);
|
|
||||||
if (!ptr) {
|
|
||||||
- return IMAGING_CODEC_MEMORY;
|
|
||||||
+ state->errcode = IMAGING_CODEC_MEMORY;
|
|
||||||
+ return -1;
|
|
||||||
}
|
|
||||||
_imaging_seek_pyFd(state->fd, SGI_HEADER_SIZE, SEEK_SET);
|
|
||||||
_imaging_read_pyFd(state->fd, (char*)ptr, c->bufsize);
|
|
||||||
@@ -178,7 +181,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
|
||||||
|
|
||||||
if (c->rleoffset + c->rlelength > c->bufsize) {
|
|
||||||
state->errcode = IMAGING_CODEC_OVERRUN;
|
|
||||||
- return -1;
|
|
||||||
+ goto sgi_finish_decode;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* row decompression */
|
|
||||||
@@ -190,7 +193,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
|
||||||
}
|
|
||||||
if (status == -1) {
|
|
||||||
state->errcode = IMAGING_CODEC_OVERRUN;
|
|
||||||
- return -1;
|
|
||||||
+ goto sgi_finish_decode;
|
|
||||||
} else if (status == 1) {
|
|
||||||
goto sgi_finish_decode;
|
|
||||||
}
|
|
||||||
@@ -211,7 +214,8 @@ sgi_finish_decode: ;
|
|
||||||
free(c->lengthtab);
|
|
||||||
free(ptr);
|
|
||||||
if (err != 0){
|
|
||||||
- return err;
|
|
||||||
+ state->errcode=err;
|
|
||||||
+ return -1;
|
|
||||||
}
|
|
||||||
return state->count - c->bufsize;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
@ -1,83 +0,0 @@
|
|||||||
From 1dd0fb64bd3cc221b5877ece4ce2f300245b638f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lumir Balhar <lbalhar@redhat.com>
|
|
||||||
Date: Mon, 17 Feb 2020 14:19:32 +0100
|
|
||||||
Subject: [PATCH] CVE-2020-5311
|
|
||||||
|
|
||||||
---
|
|
||||||
src/libImaging/SgiRleDecode.c | 23 +++++++++++++++++------
|
|
||||||
1 file changed, 17 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
|
|
||||||
index 39e7b3a..6367ae7 100644
|
|
||||||
--- a/src/libImaging/SgiRleDecode.c
|
|
||||||
+++ b/src/libImaging/SgiRleDecode.c
|
|
||||||
@@ -25,7 +25,7 @@ static void read4B(UINT32* dest, UINT8* buf)
|
|
||||||
*dest = (UINT32)((buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]);
|
|
||||||
}
|
|
||||||
|
|
||||||
-static int expandrow(UINT8* dest, UINT8* src, int n, int z)
|
|
||||||
+static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
|
|
||||||
{
|
|
||||||
UINT8 pixel, count;
|
|
||||||
|
|
||||||
@@ -37,6 +37,9 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z)
|
|
||||||
count = pixel & RLE_MAX_RUN;
|
|
||||||
if (!count)
|
|
||||||
return count;
|
|
||||||
+ if (count > xsize) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
if (pixel & RLE_COPY_FLAG) {
|
|
||||||
while(count--) {
|
|
||||||
*dest = *src++;
|
|
||||||
@@ -56,7 +59,7 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z)
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static int expandrow2(UINT16* dest, UINT16* src, int n, int z)
|
|
||||||
+static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)
|
|
||||||
{
|
|
||||||
UINT8 pixel, count;
|
|
||||||
|
|
||||||
@@ -70,6 +73,9 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z)
|
|
||||||
count = pixel & RLE_MAX_RUN;
|
|
||||||
if (!count)
|
|
||||||
return count;
|
|
||||||
+ if (count > xsize) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
if (pixel & RLE_COPY_FLAG) {
|
|
||||||
while(count--) {
|
|
||||||
*dest = *src++;
|
|
||||||
@@ -95,6 +101,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
|
||||||
UINT8 *ptr;
|
|
||||||
SGISTATE *c;
|
|
||||||
int err = 0;
|
|
||||||
+ int status;
|
|
||||||
|
|
||||||
/* Get all data from File descriptor */
|
|
||||||
c = (SGISTATE*)state->context;
|
|
||||||
@@ -163,12 +170,16 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
|
||||||
|
|
||||||
/* row decompression */
|
|
||||||
if (c->bpc ==1) {
|
|
||||||
- if(expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands))
|
|
||||||
- goto sgi_finish_decode;
|
|
||||||
+ status = expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
- if(expandrow2((UINT16*)&state->buffer[c->channo * 2], (UINT16*)&ptr[c->rleoffset], c->rlelength, im->bands))
|
|
||||||
- goto sgi_finish_decode;
|
|
||||||
+ status = expandrow2(&state->buffer[c->channo * 2], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);
|
|
||||||
+ }
|
|
||||||
+ if (status == -1) {
|
|
||||||
+ state->errcode = IMAGING_CODEC_OVERRUN;
|
|
||||||
+ return -1;
|
|
||||||
+ } else if (status == 1) {
|
|
||||||
+ goto sgi_finish_decode;
|
|
||||||
}
|
|
||||||
|
|
||||||
state->count += c->rlelength;
|
|
||||||
--
|
|
||||||
2.24.1
|
|
||||||
|
|
@ -1,183 +0,0 @@
|
|||||||
From cc9658731ba1ea291f83ea959acc27ac28384a2c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lumir Balhar <lbalhar@redhat.com>
|
|
||||||
Date: Fri, 14 Feb 2020 11:14:53 +0100
|
|
||||||
Subject: [PATCH] Combined fix for CVE-2020-5312 and CVE-2019-16865
|
|
||||||
|
|
||||||
---
|
|
||||||
src/PIL/GifImagePlugin.py | 1 +
|
|
||||||
src/PIL/IcoImagePlugin.py | 1 +
|
|
||||||
src/PIL/PsdImagePlugin.py | 6 ++++--
|
|
||||||
src/PIL/TiffImagePlugin.py | 4 ++--
|
|
||||||
src/libImaging/FliDecode.c | 14 +++++++++++---
|
|
||||||
src/libImaging/PcxDecode.c | 8 ++++++++
|
|
||||||
src/libImaging/RawDecode.c | 11 +++++++++--
|
|
||||||
src/libImaging/SgiRleDecode.c | 5 +++++
|
|
||||||
8 files changed, 41 insertions(+), 9 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/PIL/GifImagePlugin.py b/src/PIL/GifImagePlugin.py
|
|
||||||
index c01adff..99af4a5 100644
|
|
||||||
--- a/src/PIL/GifImagePlugin.py
|
|
||||||
+++ b/src/PIL/GifImagePlugin.py
|
|
||||||
@@ -251,6 +251,7 @@ class GifImageFile(ImageFile.ImageFile):
|
|
||||||
self.dispose = None
|
|
||||||
elif self.disposal_method == 2:
|
|
||||||
# replace with background colour
|
|
||||||
+ Image._decompression_bomb_check(self.size)
|
|
||||||
self.dispose = Image.core.fill("P", self.size,
|
|
||||||
self.info["background"])
|
|
||||||
else:
|
|
||||||
diff --git a/src/PIL/IcoImagePlugin.py b/src/PIL/IcoImagePlugin.py
|
|
||||||
index 428fdd4..2b6d1e0 100644
|
|
||||||
--- a/src/PIL/IcoImagePlugin.py
|
|
||||||
+++ b/src/PIL/IcoImagePlugin.py
|
|
||||||
@@ -167,6 +167,7 @@ class IcoFile(object):
|
|
||||||
else:
|
|
||||||
# XOR + AND mask bmp frame
|
|
||||||
im = BmpImagePlugin.DibImageFile(self.buf)
|
|
||||||
+ Image._decompression_bomb_check(im.size)
|
|
||||||
|
|
||||||
# change tile dimension to only encompass XOR image
|
|
||||||
im.size = (im.size[0], int(im.size[1] / 2))
|
|
||||||
diff --git a/src/PIL/PsdImagePlugin.py b/src/PIL/PsdImagePlugin.py
|
|
||||||
index f6e04f7..fe2a2ff 100644
|
|
||||||
--- a/src/PIL/PsdImagePlugin.py
|
|
||||||
+++ b/src/PIL/PsdImagePlugin.py
|
|
||||||
@@ -209,9 +209,11 @@ def _layerinfo(file):
|
|
||||||
# skip over blend flags and extra information
|
|
||||||
filler = read(12)
|
|
||||||
name = ""
|
|
||||||
- size = i32(read(4))
|
|
||||||
+ size = i32(read(4)) # length of the extra data field
|
|
||||||
combined = 0
|
|
||||||
if size:
|
|
||||||
+ data_end = file.tell() + size
|
|
||||||
+
|
|
||||||
length = i32(read(4))
|
|
||||||
if length:
|
|
||||||
mask_y = i32(read(4))
|
|
||||||
@@ -233,7 +235,7 @@ def _layerinfo(file):
|
|
||||||
name = read(length).decode('latin-1', 'replace')
|
|
||||||
combined += length + 1
|
|
||||||
|
|
||||||
- file.seek(size - combined, 1)
|
|
||||||
+ file.seek(data_end)
|
|
||||||
layers.append((name, mode, (x0, y0, x1, y1)))
|
|
||||||
|
|
||||||
# get tiles
|
|
||||||
diff --git a/src/PIL/TiffImagePlugin.py b/src/PIL/TiffImagePlugin.py
|
|
||||||
index f903918..b9a1ef7 100644
|
|
||||||
--- a/src/PIL/TiffImagePlugin.py
|
|
||||||
+++ b/src/PIL/TiffImagePlugin.py
|
|
||||||
@@ -1170,8 +1170,8 @@ class TiffImageFile(ImageFile.ImageFile):
|
|
||||||
print("- fill_order:", fillorder)
|
|
||||||
|
|
||||||
# size
|
|
||||||
- xsize = self.tag_v2.get(IMAGEWIDTH)
|
|
||||||
- ysize = self.tag_v2.get(IMAGELENGTH)
|
|
||||||
+ xsize = int(self.tag_v2.get(IMAGEWIDTH))
|
|
||||||
+ ysize = int(self.tag_v2.get(IMAGELENGTH))
|
|
||||||
self.size = xsize, ysize
|
|
||||||
|
|
||||||
if DEBUG:
|
|
||||||
diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
|
|
||||||
index 6d22c6c..a99aca8 100644
|
|
||||||
--- a/src/libImaging/FliDecode.c
|
|
||||||
+++ b/src/libImaging/FliDecode.c
|
|
||||||
@@ -30,7 +30,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
|
||||||
{
|
|
||||||
UINT8* ptr;
|
|
||||||
int framesize;
|
|
||||||
- int c, chunks;
|
|
||||||
+ int c, chunks, advance;
|
|
||||||
int l, lines;
|
|
||||||
int i, j, x = 0, y, ymax;
|
|
||||||
|
|
||||||
@@ -59,10 +59,16 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
|
||||||
|
|
||||||
chunks = I16(ptr+6);
|
|
||||||
ptr += 16;
|
|
||||||
+ bytes -= 16;
|
|
||||||
|
|
||||||
/* Process subchunks */
|
|
||||||
for (c = 0; c < chunks; c++) {
|
|
||||||
- UINT8 *data = ptr + 6;
|
|
||||||
+ UINT8* data;
|
|
||||||
+ if (bytes < 10) {
|
|
||||||
+ state->errcode = IMAGING_CODEC_OVERRUN;
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ data = ptr + 6;
|
|
||||||
switch (I16(ptr+4)) {
|
|
||||||
case 4: case 11:
|
|
||||||
/* FLI COLOR chunk */
|
|
||||||
@@ -198,7 +204,9 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
|
||||||
state->errcode = IMAGING_CODEC_UNKNOWN;
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
- ptr += I32(ptr);
|
|
||||||
+ advance = I32(ptr);
|
|
||||||
+ ptr += advance;
|
|
||||||
+ bytes -= advance;
|
|
||||||
}
|
|
||||||
|
|
||||||
return -1; /* end of frame */
|
|
||||||
diff --git a/src/libImaging/PcxDecode.c b/src/libImaging/PcxDecode.c
|
|
||||||
index e5417f1..aaf5867 100644
|
|
||||||
--- a/src/libImaging/PcxDecode.c
|
|
||||||
+++ b/src/libImaging/PcxDecode.c
|
|
||||||
@@ -22,6 +22,14 @@ ImagingPcxDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
|
||||||
UINT8 n;
|
|
||||||
UINT8* ptr;
|
|
||||||
|
|
||||||
+ if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) {
|
|
||||||
+ state->errcode = IMAGING_CODEC_OVERRUN;
|
|
||||||
+ return -1;
|
|
||||||
+ } else if (strcmp(im->mode, "P") == 0 && state->xsize > state->bytes) {
|
|
||||||
+ state->errcode = IMAGING_CODEC_OVERRUN;
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ptr = buf;
|
|
||||||
|
|
||||||
for (;;) {
|
|
||||||
diff --git a/src/libImaging/RawDecode.c b/src/libImaging/RawDecode.c
|
|
||||||
index 40c0cb7..d4b7994 100644
|
|
||||||
--- a/src/libImaging/RawDecode.c
|
|
||||||
+++ b/src/libImaging/RawDecode.c
|
|
||||||
@@ -33,8 +33,15 @@ ImagingRawDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
|
||||||
|
|
||||||
/* get size of image data and padding */
|
|
||||||
state->bytes = (state->xsize * state->bits + 7) / 8;
|
|
||||||
- rawstate->skip = (rawstate->stride) ?
|
|
||||||
- rawstate->stride - state->bytes : 0;
|
|
||||||
+ if (rawstate->stride) {
|
|
||||||
+ rawstate->skip = rawstate->stride - state->bytes;
|
|
||||||
+ if (rawstate->skip < 0) {
|
|
||||||
+ state->errcode = IMAGING_CODEC_CONFIG;
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ rawstate->skip = 0;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/* check image orientation */
|
|
||||||
if (state->ystep < 0) {
|
|
||||||
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
|
|
||||||
index 9d8e563..39e7b3a 100644
|
|
||||||
--- a/src/libImaging/SgiRleDecode.c
|
|
||||||
+++ b/src/libImaging/SgiRleDecode.c
|
|
||||||
@@ -156,6 +156,11 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
|
||||||
c->rlelength = c->lengthtab[c->rowno + c->channo * im->ysize];
|
|
||||||
c->rleoffset -= SGI_HEADER_SIZE;
|
|
||||||
|
|
||||||
+ if (c->rleoffset + c->rlelength > c->bufsize) {
|
|
||||||
+ state->errcode = IMAGING_CODEC_OVERRUN;
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* row decompression */
|
|
||||||
if (c->bpc ==1) {
|
|
||||||
if(expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands))
|
|
||||||
--
|
|
||||||
2.24.1
|
|
||||||
|
|
@ -1,38 +0,0 @@
|
|||||||
From 697957b79a9473f0f643051265885fb048395127 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lumir Balhar <lbalhar@redhat.com>
|
|
||||||
Date: Wed, 4 Mar 2020 10:54:54 +0100
|
|
||||||
Subject: [PATCH] CVE-2020-5313
|
|
||||||
|
|
||||||
---
|
|
||||||
src/libImaging/FliDecode.c | 8 ++++++--
|
|
||||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
|
|
||||||
index a99aca8..72ba138 100644
|
|
||||||
--- a/src/libImaging/FliDecode.c
|
|
||||||
+++ b/src/libImaging/FliDecode.c
|
|
||||||
@@ -40,8 +40,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
/* We don't decode anything unless we have a full chunk in the
|
|
||||||
- input buffer (on the other hand, the Python part of the driver
|
|
||||||
- makes sure this is always the case) */
|
|
||||||
+ input buffer */
|
|
||||||
|
|
||||||
ptr = buf;
|
|
||||||
|
|
||||||
@@ -52,6 +51,11 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
|
||||||
/* Make sure this is a frame chunk. The Python driver takes
|
|
||||||
case of other chunk types. */
|
|
||||||
|
|
||||||
+ if (bytes < 8) {
|
|
||||||
+ state->errcode = IMAGING_CODEC_OVERRUN;
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (I16(ptr+4) != 0xF1FA) {
|
|
||||||
state->errcode = IMAGING_CODEC_UNKNOWN;
|
|
||||||
return -1;
|
|
||||||
--
|
|
||||||
2.24.1
|
|
||||||
|
|
@ -1,130 +0,0 @@
|
|||||||
From 9c781aa2020eef838284dcb348f4528f3c3cc1ab Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lumir Balhar <lbalhar@redhat.com>
|
|
||||||
Date: Mon, 14 Jun 2021 09:06:07 +0200
|
|
||||||
Subject: [PATCH 1/5] CVE-2021-25287_25288
|
|
||||||
|
|
||||||
---
|
|
||||||
src/libImaging/Jpeg2KDecode.c | 78 +++++++++++++++++++++++++++--------
|
|
||||||
1 file changed, 61 insertions(+), 17 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/libImaging/Jpeg2KDecode.c b/src/libImaging/Jpeg2KDecode.c
|
|
||||||
index 9140e00..fdbd0c0 100644
|
|
||||||
--- a/src/libImaging/Jpeg2KDecode.c
|
|
||||||
+++ b/src/libImaging/Jpeg2KDecode.c
|
|
||||||
@@ -110,6 +110,7 @@ j2ku_gray_l(opj_image_t *in, const JPEG2KTILEINFO *tileinfo,
|
|
||||||
if (shift < 0)
|
|
||||||
offset += 1 << (-shift - 1);
|
|
||||||
|
|
||||||
+ /* csiz*h*w + offset = tileinfo.datasize */
|
|
||||||
switch (csiz) {
|
|
||||||
case 1:
|
|
||||||
for (y = 0; y < h; ++y) {
|
|
||||||
@@ -557,8 +558,10 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
|
|
||||||
opj_dparameters_t params;
|
|
||||||
OPJ_COLOR_SPACE color_space;
|
|
||||||
j2k_unpacker_t unpack = NULL;
|
|
||||||
- size_t buffer_size = 0;
|
|
||||||
- unsigned n;
|
|
||||||
+ size_t buffer_size = 0, tile_bytes = 0;
|
|
||||||
+ unsigned n, tile_height, tile_width;
|
|
||||||
+ int total_component_width = 0;
|
|
||||||
+
|
|
||||||
|
|
||||||
stream = opj_stream_create(BUFFER_SIZE, OPJ_TRUE);
|
|
||||||
|
|
||||||
@@ -703,8 +706,62 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
|
|
||||||
tile_info.x1 = (tile_info.x1 + correction) >> context->reduce;
|
|
||||||
tile_info.y1 = (tile_info.y1 + correction) >> context->reduce;
|
|
||||||
|
|
||||||
+ /* Check the tile bounds; if the tile is outside the image area,
|
|
||||||
+ or if it has a negative width or height (i.e. the coordinates are
|
|
||||||
+ swapped), bail. */
|
|
||||||
+ if (tile_info.x0 >= tile_info.x1
|
|
||||||
+ || tile_info.y0 >= tile_info.y1
|
|
||||||
+ || tile_info.x0 < image->x0
|
|
||||||
+ || tile_info.y0 < image->y0
|
|
||||||
+ || tile_info.x1 - image->x0 > im->xsize
|
|
||||||
+ || tile_info.y1 - image->y0 > im->ysize) {
|
|
||||||
+ state->errcode = IMAGING_CODEC_BROKEN;
|
|
||||||
+ state->state = J2K_STATE_FAILED;
|
|
||||||
+ goto quick_exit;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (tile_info.nb_comps != image->numcomps) {
|
|
||||||
+ state->errcode = IMAGING_CODEC_BROKEN;
|
|
||||||
+ state->state = J2K_STATE_FAILED;
|
|
||||||
+ goto quick_exit;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Sometimes the tile_info.datasize we get back from openjpeg
|
|
||||||
+ is less than sum(comp_bytes)*w*h, and we overflow in the
|
|
||||||
+ shuffle stage */
|
|
||||||
+
|
|
||||||
+ tile_width = tile_info.x1 - tile_info.x0;
|
|
||||||
+ tile_height = tile_info.y1 - tile_info.y0;
|
|
||||||
+
|
|
||||||
+ /* Total component width = sum (component_width) e.g, it's
|
|
||||||
+ legal for an la file to have a 1 byte width for l, and 4 for
|
|
||||||
+ a. and then a malicious file could have a smaller tile_bytes
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+ for (n=0; n < tile_info.nb_comps; n++) {
|
|
||||||
+ // see csize /acsize calcs
|
|
||||||
+ int csize = (image->comps[n].prec + 7) >> 3;
|
|
||||||
+ csize = (csize == 3) ? 4 : csize;
|
|
||||||
+ total_component_width += csize;
|
|
||||||
+ }
|
|
||||||
+ if ((tile_width > UINT_MAX / total_component_width) ||
|
|
||||||
+ (tile_height > UINT_MAX / total_component_width) ||
|
|
||||||
+ (tile_width > UINT_MAX / (tile_height * total_component_width)) ||
|
|
||||||
+ (tile_height > UINT_MAX / (tile_width * total_component_width))) {
|
|
||||||
+
|
|
||||||
+ state->errcode = IMAGING_CODEC_BROKEN;
|
|
||||||
+ state->state = J2K_STATE_FAILED;
|
|
||||||
+ goto quick_exit;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ tile_bytes = tile_width * tile_height * total_component_width;
|
|
||||||
+
|
|
||||||
+ if (tile_bytes > tile_info.data_size) {
|
|
||||||
+ tile_info.data_size = tile_bytes;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (buffer_size < tile_info.data_size) {
|
|
||||||
- /* malloc check ok, tile_info.data_size from openjpeg */
|
|
||||||
+ /* malloc check ok, overflow and tile size sanity check above */
|
|
||||||
UINT8 *new = realloc (state->buffer, tile_info.data_size);
|
|
||||||
if (!new) {
|
|
||||||
state->errcode = IMAGING_CODEC_MEMORY;
|
|
||||||
@@ -715,6 +772,7 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
|
|
||||||
buffer_size = tile_info.data_size;
|
|
||||||
}
|
|
||||||
|
|
||||||
+
|
|
||||||
if (!opj_decode_tile_data(codec,
|
|
||||||
tile_info.tile_index,
|
|
||||||
(OPJ_BYTE *)state->buffer,
|
|
||||||
@@ -725,20 +783,6 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
|
|
||||||
goto quick_exit;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* Check the tile bounds; if the tile is outside the image area,
|
|
||||||
- or if it has a negative width or height (i.e. the coordinates are
|
|
||||||
- swapped), bail. */
|
|
||||||
- if (tile_info.x0 >= tile_info.x1
|
|
||||||
- || tile_info.y0 >= tile_info.y1
|
|
||||||
- || tile_info.x0 < image->x0
|
|
||||||
- || tile_info.y0 < image->y0
|
|
||||||
- || tile_info.x1 - image->x0 > im->xsize
|
|
||||||
- || tile_info.y1 - image->y0 > im->ysize) {
|
|
||||||
- state->errcode = IMAGING_CODEC_BROKEN;
|
|
||||||
- state->state = J2K_STATE_FAILED;
|
|
||||||
- goto quick_exit;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
unpack(image, &tile_info, state->buffer, im);
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -1,28 +0,0 @@
|
|||||||
From c558baf01a97aed376a67ff4641f1c3c864ae3f0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lumir Balhar <lbalhar@redhat.com>
|
|
||||||
Date: Thu, 8 Apr 2021 17:55:26 +0200
|
|
||||||
Subject: [PATCH 1/4] CVE-2021-25290
|
|
||||||
|
|
||||||
---
|
|
||||||
src/libImaging/TiffDecode.c | 5 +++++
|
|
||||||
1 file changed, 5 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/libImaging/TiffDecode.c b/src/libImaging/TiffDecode.c
|
|
||||||
index f292da3..d17b557 100644
|
|
||||||
--- a/src/libImaging/TiffDecode.c
|
|
||||||
+++ b/src/libImaging/TiffDecode.c
|
|
||||||
@@ -36,6 +36,11 @@ tsize_t _tiffReadProc(thandle_t hdata, tdata_t buf, tsize_t size) {
|
|
||||||
TRACE(("_tiffReadProc: %d \n", (int)size));
|
|
||||||
dump_state(state);
|
|
||||||
|
|
||||||
+ if (state->loc > state->eof) {
|
|
||||||
+ TIFFError("_tiffReadProc", "Invalid Read at loc %d, eof: %d", state->loc, state->eof);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
to_read = min(size, min(state->size, (tsize_t)state->eof) - (tsize_t)state->loc);
|
|
||||||
TRACE(("to_read: %d\n", (int)to_read));
|
|
||||||
|
|
||||||
--
|
|
||||||
2.30.2
|
|
||||||
|
|
@ -1,27 +0,0 @@
|
|||||||
From f60b6ae79d3c2e759f54bb4acb62b4c49f89fef2 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lumir Balhar <lbalhar@redhat.com>
|
|
||||||
Date: Thu, 8 Apr 2021 17:59:21 +0200
|
|
||||||
Subject: [PATCH 2/4] CVE-2021-25292
|
|
||||||
|
|
||||||
---
|
|
||||||
src/PIL/PdfParser.py | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/PIL/PdfParser.py b/src/PIL/PdfParser.py
|
|
||||||
index b6938fd..189aed8 100644
|
|
||||||
--- a/src/PIL/PdfParser.py
|
|
||||||
+++ b/src/PIL/PdfParser.py
|
|
||||||
@@ -562,8 +562,9 @@ class PdfParser:
|
|
||||||
whitespace_or_hex = br"[\000\011\012\014\015\0400-9a-fA-F]"
|
|
||||||
whitespace_optional = whitespace + b"*"
|
|
||||||
whitespace_mandatory = whitespace + b"+"
|
|
||||||
+ whitespace_optional_no_nl = br"[\000\011\014\015\040]*" # no "\012" aka "\n"
|
|
||||||
newline_only = br"[\r\n]+"
|
|
||||||
- newline = whitespace_optional + newline_only + whitespace_optional
|
|
||||||
+ newline = whitespace_optional_no_nl + newline_only + whitespace_optional_no_nl
|
|
||||||
re_trailer_end = re.compile(whitespace_mandatory + br"trailer" + whitespace_optional + br"\<\<(.*\>\>)" + newline
|
|
||||||
+ br"startxref" + newline + br"([0-9]+)" + newline + br"%%EOF" + whitespace_optional + br"$", re.DOTALL)
|
|
||||||
re_trailer_prev = re.compile(whitespace_optional + br"trailer" + whitespace_optional + br"\<\<(.*?\>\>)" + newline
|
|
||||||
--
|
|
||||||
2.30.2
|
|
||||||
|
|
@ -1,207 +0,0 @@
|
|||||||
From 1312c5426e7dd84e396ef2ff35aa09b64d92d382 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lumir Balhar <lbalhar@redhat.com>
|
|
||||||
Date: Fri, 9 Apr 2021 19:33:55 +0200
|
|
||||||
Subject: [PATCH 3/4] CVE-2021-25293
|
|
||||||
|
|
||||||
---
|
|
||||||
src/libImaging/SgiRleDecode.c | 88 +++++++++++++++++++++++++++++------
|
|
||||||
1 file changed, 75 insertions(+), 13 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
|
|
||||||
index 2259159..85af456 100644
|
|
||||||
--- a/src/libImaging/SgiRleDecode.c
|
|
||||||
+++ b/src/libImaging/SgiRleDecode.c
|
|
||||||
@@ -25,13 +25,60 @@ static void read4B(UINT32* dest, UINT8* buf)
|
|
||||||
*dest = (UINT32)((buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]);
|
|
||||||
}
|
|
||||||
|
|
||||||
-static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
|
|
||||||
+/*
|
|
||||||
+ SgiRleDecoding is done in a single channel row oriented set of RLE chunks.
|
|
||||||
+
|
|
||||||
+ * The file is arranged as
|
|
||||||
+ - SGI Header
|
|
||||||
+ - Rle Offset Table
|
|
||||||
+ - Rle Length Table
|
|
||||||
+ - Scanline Data
|
|
||||||
+
|
|
||||||
+ * Each RLE atom is c->bpc bytes wide (1 or 2)
|
|
||||||
+
|
|
||||||
+ * Each RLE Chunk is [specifier atom] [ 1 or n data atoms ]
|
|
||||||
+
|
|
||||||
+ * Copy Atoms are a byte with the high bit set, and the low 7 are
|
|
||||||
+ the number of bytes to copy from the source to the
|
|
||||||
+ destination. e.g.
|
|
||||||
+
|
|
||||||
+ CBBBBBBBB or 0CHLHLHLHLHLHL (B=byte, H/L = Hi low bytes)
|
|
||||||
+
|
|
||||||
+ * Run atoms do not have the high bit set, and the low 7 bits are
|
|
||||||
+ the number of copies of the next atom to copy to the
|
|
||||||
+ destination. e.g.:
|
|
||||||
+
|
|
||||||
+ RB -> BBBBB or RHL -> HLHLHLHLHL
|
|
||||||
+
|
|
||||||
+ The upshot of this is, there is no way to determine the required
|
|
||||||
+ length of the input buffer from reloffset and rlelength without
|
|
||||||
+ going through the data at that scan line.
|
|
||||||
+
|
|
||||||
+ Furthermore, there's no requirement that individual scan lines
|
|
||||||
+ pointed to from the rleoffset table are in any sort of order or
|
|
||||||
+ used only once, or even disjoint. There's also no requirement that
|
|
||||||
+ all of the data in the scan line area of the image file be used
|
|
||||||
+
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize, UINT8 *end_of_buffer)
|
|
||||||
{
|
|
||||||
+ /*
|
|
||||||
+ * n here is the number of rlechunks
|
|
||||||
+ * z is the number of channels, for calculating the interleave
|
|
||||||
+ * offset to go to RGBA style pixels
|
|
||||||
+ * xsize is the row width
|
|
||||||
+ * end_of_buffer is the address of the end of the input buffer
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
UINT8 pixel, count;
|
|
||||||
int x = 0;
|
|
||||||
|
|
||||||
for (;n > 0; n--)
|
|
||||||
{
|
|
||||||
+ if (src > end_of_buffer) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
pixel = *src++;
|
|
||||||
if (n == 1 && pixel != 0)
|
|
||||||
return n;
|
|
||||||
@@ -43,6 +90,9 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
|
|
||||||
}
|
|
||||||
x += count;
|
|
||||||
if (pixel & RLE_COPY_FLAG) {
|
|
||||||
+ if (src + count > end_of_buffer) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
while(count--) {
|
|
||||||
*dest = *src++;
|
|
||||||
dest += z;
|
|
||||||
@@ -50,6 +100,9 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
|
|
||||||
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
+ if (src > end_of_buffer) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
pixel = *src++;
|
|
||||||
while (count--) {
|
|
||||||
*dest = pixel;
|
|
||||||
@@ -61,7 +114,7 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)
|
|
||||||
+static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize, UINT8 *end_of_buffer)
|
|
||||||
{
|
|
||||||
UINT8 pixel, count;
|
|
||||||
|
|
||||||
@@ -69,6 +122,9 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)
|
|
||||||
|
|
||||||
for (;n > 0; n--)
|
|
||||||
{
|
|
||||||
+ if (src + 1 > end_of_buffer) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
pixel = ((UINT8*)src)[1];
|
|
||||||
++src;
|
|
||||||
if (n == 1 && pixel != 0)
|
|
||||||
@@ -81,12 +137,18 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)
|
|
||||||
}
|
|
||||||
x += count;
|
|
||||||
if (pixel & RLE_COPY_FLAG) {
|
|
||||||
+ if (src + 2 * count > end_of_buffer) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
while(count--) {
|
|
||||||
*dest = *src++;
|
|
||||||
dest += z;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
+ if (src + 2 > end_of_buffer) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
while (count--) {
|
|
||||||
*dest = *src;
|
|
||||||
dest += z;
|
|
||||||
@@ -136,8 +198,10 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
_imaging_seek_pyFd(state->fd, SGI_HEADER_SIZE, SEEK_SET);
|
|
||||||
- _imaging_read_pyFd(state->fd, (char*)ptr, c->bufsize);
|
|
||||||
-
|
|
||||||
+ if (_imaging_read_pyFd(state->fd, (char *)ptr, c->bufsize) != c->bufsize) {
|
|
||||||
+ state->errcode = IMAGING_CODEC_UNKNOWN;
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/* decoder initialization */
|
|
||||||
state->count = 0;
|
|
||||||
@@ -168,8 +232,6 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
|
||||||
for (c->tabindex = 0, c->bufindex = c->tablen * sizeof(UINT32); c->tabindex < c->tablen; c->tabindex++, c->bufindex+=4)
|
|
||||||
read4B(&c->lengthtab[c->tabindex], &ptr[c->bufindex]);
|
|
||||||
|
|
||||||
- state->count += c->tablen * sizeof(UINT32) * 2;
|
|
||||||
-
|
|
||||||
/* read compressed rows */
|
|
||||||
for (c->rowno = 0; c->rowno < im->ysize; c->rowno++, state->y += state->ystep)
|
|
||||||
{
|
|
||||||
@@ -177,19 +239,21 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
|
||||||
{
|
|
||||||
c->rleoffset = c->starttab[c->rowno + c->channo * im->ysize];
|
|
||||||
c->rlelength = c->lengthtab[c->rowno + c->channo * im->ysize];
|
|
||||||
- c->rleoffset -= SGI_HEADER_SIZE;
|
|
||||||
|
|
||||||
- if (c->rleoffset + c->rlelength > c->bufsize) {
|
|
||||||
+ // Check for underflow of rleoffset-SGI_HEADER_SIZE
|
|
||||||
+ if (c->rleoffset < SGI_HEADER_SIZE) {
|
|
||||||
state->errcode = IMAGING_CODEC_OVERRUN;
|
|
||||||
goto sgi_finish_decode;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ c->rleoffset -= SGI_HEADER_SIZE;
|
|
||||||
+
|
|
||||||
/* row decompression */
|
|
||||||
if (c->bpc ==1) {
|
|
||||||
- status = expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);
|
|
||||||
+ status = expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize, &ptr[c->bufsize-1]);
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
- status = expandrow2(&state->buffer[c->channo * 2], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);
|
|
||||||
+ status = expandrow2(&state->buffer[c->channo * 2], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize, &ptr[c->bufsize-1]);
|
|
||||||
}
|
|
||||||
if (status == -1) {
|
|
||||||
state->errcode = IMAGING_CODEC_OVERRUN;
|
|
||||||
@@ -198,7 +262,6 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
|
||||||
goto sgi_finish_decode;
|
|
||||||
}
|
|
||||||
|
|
||||||
- state->count += c->rlelength;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* store decompressed data in image */
|
|
||||||
@@ -206,7 +269,6 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
- c->bufsize++;
|
|
||||||
|
|
||||||
sgi_finish_decode: ;
|
|
||||||
|
|
||||||
@@ -217,5 +279,5 @@ sgi_finish_decode: ;
|
|
||||||
state->errcode=err;
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
- return state->count - c->bufsize;
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.30.2
|
|
||||||
|
|
@ -1,58 +0,0 @@
|
|||||||
From 357fef8b4bd076e3a15e7ffc58a475626794c7e3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lumir Balhar <lbalhar@redhat.com>
|
|
||||||
Date: Fri, 9 Apr 2021 19:41:58 +0200
|
|
||||||
Subject: [PATCH 4/4] CVE-2021-27921_27922_27923
|
|
||||||
|
|
||||||
---
|
|
||||||
src/PIL/BlpImagePlugin.py | 1 +
|
|
||||||
src/PIL/IcnsImagePlugin.py | 2 ++
|
|
||||||
src/PIL/IcoImagePlugin.py | 1 +
|
|
||||||
3 files changed, 4 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/PIL/BlpImagePlugin.py b/src/PIL/BlpImagePlugin.py
|
|
||||||
index ec358db..d56d46c 100644
|
|
||||||
--- a/src/PIL/BlpImagePlugin.py
|
|
||||||
+++ b/src/PIL/BlpImagePlugin.py
|
|
||||||
@@ -362,6 +362,7 @@ class BLP1Decoder(_BLPBaseDecoder):
|
|
||||||
data = jpeg_header + data
|
|
||||||
data = BytesIO(data)
|
|
||||||
image = JpegImageFile(data)
|
|
||||||
+ Image._decompression_bomb_check(image.size)
|
|
||||||
self.tile = image.tile # :/
|
|
||||||
self.fd = image.fp
|
|
||||||
self.mode = image.mode
|
|
||||||
diff --git a/src/PIL/IcnsImagePlugin.py b/src/PIL/IcnsImagePlugin.py
|
|
||||||
index b382a73..2292584 100644
|
|
||||||
--- a/src/PIL/IcnsImagePlugin.py
|
|
||||||
+++ b/src/PIL/IcnsImagePlugin.py
|
|
||||||
@@ -110,6 +110,7 @@ def read_png_or_jpeg2000(fobj, start_length, size):
|
|
||||||
if sig[:8] == b'\x89PNG\x0d\x0a\x1a\x0a':
|
|
||||||
fobj.seek(start)
|
|
||||||
im = PngImagePlugin.PngImageFile(fobj)
|
|
||||||
+ Image._decompression_bomb_check(im.size)
|
|
||||||
return {"RGBA": im}
|
|
||||||
elif sig[:4] == b'\xff\x4f\xff\x51' \
|
|
||||||
or sig[:4] == b'\x0d\x0a\x87\x0a' \
|
|
||||||
@@ -122,6 +123,7 @@ def read_png_or_jpeg2000(fobj, start_length, size):
|
|
||||||
jp2kstream = fobj.read(length)
|
|
||||||
f = io.BytesIO(jp2kstream)
|
|
||||||
im = Jpeg2KImagePlugin.Jpeg2KImageFile(f)
|
|
||||||
+ Image._decompression_bomb_check(im.size)
|
|
||||||
if im.mode != 'RGBA':
|
|
||||||
im = im.convert('RGBA')
|
|
||||||
return {"RGBA": im}
|
|
||||||
diff --git a/src/PIL/IcoImagePlugin.py b/src/PIL/IcoImagePlugin.py
|
|
||||||
index 2b6d1e0..30412ad 100644
|
|
||||||
--- a/src/PIL/IcoImagePlugin.py
|
|
||||||
+++ b/src/PIL/IcoImagePlugin.py
|
|
||||||
@@ -164,6 +164,7 @@ class IcoFile(object):
|
|
||||||
if data[:8] == PngImagePlugin._MAGIC:
|
|
||||||
# png frame
|
|
||||||
im = PngImagePlugin.PngImageFile(self.buf)
|
|
||||||
+ Image._decompression_bomb_check(im.size)
|
|
||||||
else:
|
|
||||||
# XOR + AND mask bmp frame
|
|
||||||
im = BmpImagePlugin.DibImageFile(self.buf)
|
|
||||||
--
|
|
||||||
2.30.2
|
|
||||||
|
|
@ -1,146 +0,0 @@
|
|||||||
From 7fe3dff241c11206616bf6229be898854ce0d066 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lumir Balhar <lbalhar@redhat.com>
|
|
||||||
Date: Mon, 14 Jun 2021 11:33:36 +0200
|
|
||||||
Subject: [PATCH] CVE-2021-28675
|
|
||||||
|
|
||||||
---
|
|
||||||
src/PIL/ImageFile.py | 12 ++++++++++--
|
|
||||||
src/PIL/PsdImagePlugin.py | 33 +++++++++++++++++++++++----------
|
|
||||||
2 files changed, 33 insertions(+), 12 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/PIL/ImageFile.py b/src/PIL/ImageFile.py
|
|
||||||
index 1a3c4aa..2cef9ee 100644
|
|
||||||
--- a/src/PIL/ImageFile.py
|
|
||||||
+++ b/src/PIL/ImageFile.py
|
|
||||||
@@ -522,12 +522,18 @@ def _safe_read(fp, size):
|
|
||||||
|
|
||||||
:param fp: File handle. Must implement a <b>read</b> method.
|
|
||||||
:param size: Number of bytes to read.
|
|
||||||
- :returns: A string containing up to <i>size</i> bytes of data.
|
|
||||||
+ :returns: A string containing <i>size</i> bytes of data.
|
|
||||||
+
|
|
||||||
+ Raises an OSError if the file is truncated and the read can not be completed
|
|
||||||
+
|
|
||||||
"""
|
|
||||||
if size <= 0:
|
|
||||||
return b""
|
|
||||||
if size <= SAFEBLOCK:
|
|
||||||
- return fp.read(size)
|
|
||||||
+ data = fp.read(size)
|
|
||||||
+ if len(data) < size:
|
|
||||||
+ raise OSError("Truncated File Read")
|
|
||||||
+ return data
|
|
||||||
data = []
|
|
||||||
while size > 0:
|
|
||||||
block = fp.read(min(size, SAFEBLOCK))
|
|
||||||
@@ -535,6 +541,8 @@ def _safe_read(fp, size):
|
|
||||||
break
|
|
||||||
data.append(block)
|
|
||||||
size -= len(block)
|
|
||||||
+ if sum(len(d) for d in data) < size:
|
|
||||||
+ raise OSError("Truncated File Read")
|
|
||||||
return b"".join(data)
|
|
||||||
|
|
||||||
|
|
||||||
diff --git a/src/PIL/PsdImagePlugin.py b/src/PIL/PsdImagePlugin.py
|
|
||||||
index fe2a2ff..add9996 100644
|
|
||||||
--- a/src/PIL/PsdImagePlugin.py
|
|
||||||
+++ b/src/PIL/PsdImagePlugin.py
|
|
||||||
@@ -18,6 +18,8 @@
|
|
||||||
|
|
||||||
__version__ = "0.4"
|
|
||||||
|
|
||||||
+import io
|
|
||||||
+
|
|
||||||
from . import Image, ImageFile, ImagePalette
|
|
||||||
from ._binary import i8, i16be as i16, i32be as i32
|
|
||||||
|
|
||||||
@@ -114,7 +116,8 @@ class PsdImageFile(ImageFile.ImageFile):
|
|
||||||
end = self.fp.tell() + size
|
|
||||||
size = i32(read(4))
|
|
||||||
if size:
|
|
||||||
- self.layers = _layerinfo(self.fp)
|
|
||||||
+ _layer_data = io.BytesIO(ImageFile._safe_read(self.fp, size))
|
|
||||||
+ self.layers = _layerinfo(_layer_data, size)
|
|
||||||
self.fp.seek(end)
|
|
||||||
|
|
||||||
#
|
|
||||||
@@ -164,11 +167,20 @@ class PsdImageFile(ImageFile.ImageFile):
|
|
||||||
Image.Image.load(self)
|
|
||||||
|
|
||||||
|
|
||||||
-def _layerinfo(file):
|
|
||||||
+def _layerinfo(fp, ct_bytes):
|
|
||||||
# read layerinfo block
|
|
||||||
layers = []
|
|
||||||
- read = file.read
|
|
||||||
- for i in range(abs(i16(read(2)))):
|
|
||||||
+
|
|
||||||
+ def read(size):
|
|
||||||
+ return ImageFile._safe_read(fp, size)
|
|
||||||
+
|
|
||||||
+ ct = i16(read(2))
|
|
||||||
+
|
|
||||||
+ # sanity check
|
|
||||||
+ if ct_bytes < (abs(ct) * 20):
|
|
||||||
+ raise SyntaxError("Layer block too short for number of layers requested")
|
|
||||||
+
|
|
||||||
+ for i in range(abs(ct)):
|
|
||||||
|
|
||||||
# bounding box
|
|
||||||
y0 = i32(read(4))
|
|
||||||
@@ -179,7 +191,8 @@ def _layerinfo(file):
|
|
||||||
# image info
|
|
||||||
info = []
|
|
||||||
mode = []
|
|
||||||
- types = list(range(i16(read(2))))
|
|
||||||
+ ct_types = i16(read(2))
|
|
||||||
+ types = list(range(ct_types))
|
|
||||||
if len(types) > 4:
|
|
||||||
continue
|
|
||||||
|
|
||||||
@@ -212,7 +225,7 @@ def _layerinfo(file):
|
|
||||||
size = i32(read(4)) # length of the extra data field
|
|
||||||
combined = 0
|
|
||||||
if size:
|
|
||||||
- data_end = file.tell() + size
|
|
||||||
+ data_end = fp.tell() + size
|
|
||||||
|
|
||||||
length = i32(read(4))
|
|
||||||
if length:
|
|
||||||
@@ -220,12 +233,12 @@ def _layerinfo(file):
|
|
||||||
mask_x = i32(read(4))
|
|
||||||
mask_h = i32(read(4)) - mask_y
|
|
||||||
mask_w = i32(read(4)) - mask_x
|
|
||||||
- file.seek(length - 16, 1)
|
|
||||||
+ fp.seek(length - 16, 1)
|
|
||||||
combined += length + 4
|
|
||||||
|
|
||||||
length = i32(read(4))
|
|
||||||
if length:
|
|
||||||
- file.seek(length, 1)
|
|
||||||
+ fp.seek(length, 1)
|
|
||||||
combined += length + 4
|
|
||||||
|
|
||||||
length = i8(read(1))
|
|
||||||
@@ -235,7 +248,7 @@ def _layerinfo(file):
|
|
||||||
name = read(length).decode('latin-1', 'replace')
|
|
||||||
combined += length + 1
|
|
||||||
|
|
||||||
- file.seek(data_end)
|
|
||||||
+ fp.seek(data_end)
|
|
||||||
layers.append((name, mode, (x0, y0, x1, y1)))
|
|
||||||
|
|
||||||
# get tiles
|
|
||||||
@@ -243,7 +256,7 @@ def _layerinfo(file):
|
|
||||||
for name, mode, bbox in layers:
|
|
||||||
tile = []
|
|
||||||
for m in mode:
|
|
||||||
- t = _maketile(file, m, bbox, 1)
|
|
||||||
+ t = _maketile(fp, m, bbox, 1)
|
|
||||||
if t:
|
|
||||||
tile.extend(t)
|
|
||||||
layers[i] = name, mode, bbox, tile
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -1,28 +0,0 @@
|
|||||||
From cedb7ba568161021bc2f2f48af95fcf33e262f77 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lumir Balhar <lbalhar@redhat.com>
|
|
||||||
Date: Mon, 14 Jun 2021 09:30:01 +0200
|
|
||||||
Subject: [PATCH 4/5] CVE-2021-28676
|
|
||||||
|
|
||||||
---
|
|
||||||
src/libImaging/FliDecode.c | 5 +++++
|
|
||||||
1 file changed, 5 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
|
|
||||||
index 72ba138..9181b8b 100644
|
|
||||||
--- a/src/libImaging/FliDecode.c
|
|
||||||
+++ b/src/libImaging/FliDecode.c
|
|
||||||
@@ -209,6 +209,11 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
advance = I32(ptr);
|
|
||||||
+ if (advance == 0 ) {
|
|
||||||
+ // If there's no advance, we're in in infinite loop
|
|
||||||
+ state->errcode = IMAGING_CODEC_BROKEN;
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
ptr += advance;
|
|
||||||
bytes -= advance;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -1,41 +0,0 @@
|
|||||||
From 8ad7b436649c424e22689a8a874c1b0cd7c1c0fc Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lumir Balhar <lbalhar@redhat.com>
|
|
||||||
Date: Mon, 14 Jun 2021 09:22:45 +0200
|
|
||||||
Subject: [PATCH 3/5] CVE-2021-28677
|
|
||||||
|
|
||||||
---
|
|
||||||
src/PIL/EpsImagePlugin.py | 8 ++++----
|
|
||||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/PIL/EpsImagePlugin.py b/src/PIL/EpsImagePlugin.py
|
|
||||||
index b503487..5f5af15 100644
|
|
||||||
--- a/src/PIL/EpsImagePlugin.py
|
|
||||||
+++ b/src/PIL/EpsImagePlugin.py
|
|
||||||
@@ -167,12 +167,12 @@ class PSFile(object):
|
|
||||||
self.fp.seek(offset, whence)
|
|
||||||
|
|
||||||
def readline(self):
|
|
||||||
- s = self.char or b""
|
|
||||||
+ s = [self.char or b""]
|
|
||||||
self.char = None
|
|
||||||
|
|
||||||
c = self.fp.read(1)
|
|
||||||
- while c not in b"\r\n":
|
|
||||||
- s = s + c
|
|
||||||
+ while (c not in b"\r\n") and len(c):
|
|
||||||
+ s.append(c)
|
|
||||||
c = self.fp.read(1)
|
|
||||||
|
|
||||||
self.char = self.fp.read(1)
|
|
||||||
@@ -180,7 +180,7 @@ class PSFile(object):
|
|
||||||
if self.char in b"\r\n":
|
|
||||||
self.char = None
|
|
||||||
|
|
||||||
- return s.decode('latin-1')
|
|
||||||
+ return b"".join(s).decode("latin-1")
|
|
||||||
|
|
||||||
|
|
||||||
def _accept(prefix):
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -1,122 +0,0 @@
|
|||||||
From eaef29c3696cd021147e692360997f4c12377c60 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lumir Balhar <lbalhar@redhat.com>
|
|
||||||
Date: Mon, 14 Jun 2021 09:19:50 +0200
|
|
||||||
Subject: [PATCH 2/5] CVE-2021-28678
|
|
||||||
|
|
||||||
---
|
|
||||||
src/PIL/BlpImagePlugin.py | 43 +++++++++++++++++++++------------------
|
|
||||||
1 file changed, 23 insertions(+), 20 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/PIL/BlpImagePlugin.py b/src/PIL/BlpImagePlugin.py
|
|
||||||
index d56d46c..846c83d 100644
|
|
||||||
--- a/src/PIL/BlpImagePlugin.py
|
|
||||||
+++ b/src/PIL/BlpImagePlugin.py
|
|
||||||
@@ -294,33 +294,36 @@ class _BLPBaseDecoder(ImageFile.PyDecoder):
|
|
||||||
raise IOError("Truncated Blp file")
|
|
||||||
return 0, 0
|
|
||||||
|
|
||||||
+ def _safe_read(self, length):
|
|
||||||
+ return ImageFile._safe_read(self.fd, length)
|
|
||||||
+
|
|
||||||
def _read_palette(self):
|
|
||||||
ret = []
|
|
||||||
for i in range(256):
|
|
||||||
try:
|
|
||||||
- b, g, r, a = struct.unpack("<4B", self.fd.read(4))
|
|
||||||
+ b, g, r, a = struct.unpack("<4B", self._safe_read(4))
|
|
||||||
except struct.error:
|
|
||||||
break
|
|
||||||
ret.append((b, g, r, a))
|
|
||||||
return ret
|
|
||||||
|
|
||||||
def _read_blp_header(self):
|
|
||||||
- self._blp_compression, = struct.unpack("<i", self.fd.read(4))
|
|
||||||
+ self._blp_compression, = struct.unpack("<i", self._safe_read(4))
|
|
||||||
|
|
||||||
- self._blp_encoding, = struct.unpack("<b", self.fd.read(1))
|
|
||||||
- self._blp_alpha_depth, = struct.unpack("<b", self.fd.read(1))
|
|
||||||
- self._blp_alpha_encoding, = struct.unpack("<b", self.fd.read(1))
|
|
||||||
- self._blp_mips, = struct.unpack("<b", self.fd.read(1))
|
|
||||||
+ self._blp_encoding, = struct.unpack("<b", self._safe_read(1))
|
|
||||||
+ self._blp_alpha_depth, = struct.unpack("<b", self._safe_read(1))
|
|
||||||
+ self._blp_alpha_encoding, = struct.unpack("<b", self._safe_read(1))
|
|
||||||
+ self._blp_mips, = struct.unpack("<b", self._safe_read(1))
|
|
||||||
|
|
||||||
- self.size = struct.unpack("<II", self.fd.read(8))
|
|
||||||
+ self.size = struct.unpack("<II", self._safe_read(8))
|
|
||||||
|
|
||||||
if self.magic == b"BLP1":
|
|
||||||
# Only present for BLP1
|
|
||||||
- self._blp_encoding, = struct.unpack("<i", self.fd.read(4))
|
|
||||||
- self._blp_subtype, = struct.unpack("<i", self.fd.read(4))
|
|
||||||
+ self._blp_encoding, = struct.unpack("<i", self._safe_read(4))
|
|
||||||
+ self._blp_subtype, = struct.unpack("<i", self._safe_read(4))
|
|
||||||
|
|
||||||
- self._blp_offsets = struct.unpack("<16I", self.fd.read(16 * 4))
|
|
||||||
- self._blp_lengths = struct.unpack("<16I", self.fd.read(16 * 4))
|
|
||||||
+ self._blp_offsets = struct.unpack("<16I", self._safe_read(16 * 4))
|
|
||||||
+ self._blp_lengths = struct.unpack("<16I", self._safe_read(16 * 4))
|
|
||||||
|
|
||||||
|
|
||||||
class BLP1Decoder(_BLPBaseDecoder):
|
|
||||||
@@ -333,7 +336,7 @@ class BLP1Decoder(_BLPBaseDecoder):
|
|
||||||
if self._blp_encoding in (4, 5):
|
|
||||||
data = bytearray()
|
|
||||||
palette = self._read_palette()
|
|
||||||
- _data = BytesIO(self.fd.read(self._blp_lengths[0]))
|
|
||||||
+ _data = BytesIO(self._safe_read(self._blp_lengths[0]))
|
|
||||||
while True:
|
|
||||||
try:
|
|
||||||
offset, = struct.unpack("<B", _data.read(1))
|
|
||||||
@@ -355,10 +358,10 @@ class BLP1Decoder(_BLPBaseDecoder):
|
|
||||||
def _decode_jpeg_stream(self):
|
|
||||||
from PIL.JpegImagePlugin import JpegImageFile
|
|
||||||
|
|
||||||
- jpeg_header_size, = struct.unpack("<I", self.fd.read(4))
|
|
||||||
- jpeg_header = self.fd.read(jpeg_header_size)
|
|
||||||
- self.fd.read(self._blp_offsets[0] - self.fd.tell()) # What IS this?
|
|
||||||
- data = self.fd.read(self._blp_lengths[0])
|
|
||||||
+ jpeg_header_size, = struct.unpack("<I", self._safe_read(4))
|
|
||||||
+ jpeg_header = self._safe_read(jpeg_header_size)
|
|
||||||
+ self._safe_read(self._blp_offsets[0] - self.fd.tell()) # What IS this?
|
|
||||||
+ data = self._safe_read(self._blp_lengths[0])
|
|
||||||
data = jpeg_header + data
|
|
||||||
data = BytesIO(data)
|
|
||||||
image = JpegImageFile(data)
|
|
||||||
@@ -380,7 +383,7 @@ class BLP2Decoder(_BLPBaseDecoder):
|
|
||||||
# Uncompressed or DirectX compression
|
|
||||||
|
|
||||||
if self._blp_encoding == BLP_ENCODING_UNCOMPRESSED:
|
|
||||||
- _data = BytesIO(self.fd.read(self._blp_lengths[0]))
|
|
||||||
+ _data = BytesIO(self._safe_read(self._blp_lengths[0]))
|
|
||||||
while True:
|
|
||||||
try:
|
|
||||||
offset, = struct.unpack("<B", _data.read(1))
|
|
||||||
@@ -394,7 +397,7 @@ class BLP2Decoder(_BLPBaseDecoder):
|
|
||||||
linesize = (self.size[0] + 3) // 4 * 8
|
|
||||||
for yb in range((self.size[1] + 3) // 4):
|
|
||||||
for d in decode_dxt1(
|
|
||||||
- self.fd.read(linesize),
|
|
||||||
+ self._safe_read(linesize),
|
|
||||||
alpha=bool(self._blp_alpha_depth)
|
|
||||||
):
|
|
||||||
data += d
|
|
||||||
@@ -402,13 +405,13 @@ class BLP2Decoder(_BLPBaseDecoder):
|
|
||||||
elif self._blp_alpha_encoding == BLP_ALPHA_ENCODING_DXT3:
|
|
||||||
linesize = (self.size[0] + 3) // 4 * 16
|
|
||||||
for yb in range((self.size[1] + 3) // 4):
|
|
||||||
- for d in decode_dxt3(self.fd.read(linesize)):
|
|
||||||
+ for d in decode_dxt3(self._safe_read(linesize)):
|
|
||||||
data += d
|
|
||||||
|
|
||||||
elif self._blp_alpha_encoding == BLP_ALPHA_ENCODING_DXT5:
|
|
||||||
linesize = (self.size[0] + 3) // 4 * 16
|
|
||||||
for yb in range((self.size[1] + 3) // 4):
|
|
||||||
- for d in decode_dxt5(self.fd.read(linesize)):
|
|
||||||
+ for d in decode_dxt5(self._safe_read(linesize)):
|
|
||||||
data += d
|
|
||||||
else:
|
|
||||||
raise BLPFormatError("Unsupported alpha encoding %r" % (
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -1,33 +0,0 @@
|
|||||||
diff --git a/src/libImaging/Convert.c b/src/libImaging/Convert.c
|
|
||||||
index b3e48e5..cfed8ad 100644
|
|
||||||
--- a/src/libImaging/Convert.c
|
|
||||||
+++ b/src/libImaging/Convert.c
|
|
||||||
@@ -1338,9 +1338,8 @@ convert(Imaging imOut, Imaging imIn, const char *mode,
|
|
||||||
return (Imaging) ImagingError_ValueError("conversion not supported");
|
|
||||||
#else
|
|
||||||
{
|
|
||||||
- static char buf[256];
|
|
||||||
- /* FIXME: may overflow if mode is too large */
|
|
||||||
- sprintf(buf, "conversion from %s to %s not supported", imIn->mode, mode);
|
|
||||||
+ static char buf[100];
|
|
||||||
+ snprintf(buf, 100, "conversion from %.10s to %.10s not supported", imIn->mode, mode);
|
|
||||||
return (Imaging) ImagingError_ValueError(buf);
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
@@ -1394,9 +1393,13 @@ ImagingConvertTransparent(Imaging imIn, const char *mode,
|
|
||||||
}
|
|
||||||
#else
|
|
||||||
{
|
|
||||||
- static char buf[256];
|
|
||||||
- /* FIXME: may overflow if mode is too large */
|
|
||||||
- sprintf(buf, "conversion from %s to %s not supported in convert_transparent", imIn->mode, mode);
|
|
||||||
+ static char buf[100];
|
|
||||||
+ snprintf(
|
|
||||||
+ buf,
|
|
||||||
+ 100,
|
|
||||||
+ "conversion from %.10s to %.10s not supported in convert_transparent",
|
|
||||||
+ imIn->mode,
|
|
||||||
+ mode);
|
|
||||||
return (Imaging) ImagingError_ValueError(buf);
|
|
||||||
}
|
|
||||||
#endif
|
|
@ -1,69 +0,0 @@
|
|||||||
diff --git a/Tests/test_imagepath.py b/Tests/test_imagepath.py
|
|
||||||
index 98a6d34..733fd29 100644
|
|
||||||
--- a/Tests/test_imagepath.py
|
|
||||||
+++ b/Tests/test_imagepath.py
|
|
||||||
@@ -67,6 +67,11 @@ class TestImagePath(PillowTestCase):
|
|
||||||
p = ImagePath.Path(arr.tostring())
|
|
||||||
self.assertEqual(list(p), [(0.0, 1.0)])
|
|
||||||
|
|
||||||
+ def test_getbbox(self):
|
|
||||||
+ for coords in (0,1):
|
|
||||||
+ p = ImagePath.Path(coords)
|
|
||||||
+ self.assertEqual(p.getbbox(), (0.0, 0.0, 0.0, 0.0))
|
|
||||||
+
|
|
||||||
def test_overflow_segfault(self):
|
|
||||||
# Some Pythons fail getting the argument as an integer, and it falls
|
|
||||||
# through to the sequence. Seeing this on 32-bit Windows.
|
|
||||||
diff --git a/src/path.c b/src/path.c
|
|
||||||
index eb1e065..5215f87 100644
|
|
||||||
--- a/src/path.c
|
|
||||||
+++ b/src/path.c
|
|
||||||
@@ -62,7 +62,7 @@ alloc_array(Py_ssize_t count)
|
|
||||||
PyErr_NoMemory();
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
- xy = malloc(2 * count * sizeof(double) + 1);
|
|
||||||
+ xy = calloc(2 * count + 1, sizeof(double));
|
|
||||||
if (!xy)
|
|
||||||
PyErr_NoMemory();
|
|
||||||
return xy;
|
|
||||||
@@ -330,18 +330,27 @@ path_getbbox(PyPathObject* self, PyObject* args)
|
|
||||||
|
|
||||||
xy = self->xy;
|
|
||||||
|
|
||||||
- x0 = x1 = xy[0];
|
|
||||||
- y0 = y1 = xy[1];
|
|
||||||
-
|
|
||||||
- for (i = 1; i < self->count; i++) {
|
|
||||||
- if (xy[i+i] < x0)
|
|
||||||
- x0 = xy[i+i];
|
|
||||||
- if (xy[i+i] > x1)
|
|
||||||
- x1 = xy[i+i];
|
|
||||||
- if (xy[i+i+1] < y0)
|
|
||||||
- y0 = xy[i+i+1];
|
|
||||||
- if (xy[i+i+1] > y1)
|
|
||||||
- y1 = xy[i+i+1];
|
|
||||||
+ if (self->count == 0) {
|
|
||||||
+ x0 = x1 = 0;
|
|
||||||
+ y0 = y1 = 0;
|
|
||||||
+ } else {
|
|
||||||
+ x0 = x1 = xy[0];
|
|
||||||
+ y0 = y1 = xy[1];
|
|
||||||
+
|
|
||||||
+ for (i = 1; i < self->count; i++) {
|
|
||||||
+ if (xy[i + i] < x0) {
|
|
||||||
+ x0 = xy[i + i];
|
|
||||||
+ }
|
|
||||||
+ if (xy[i + i] > x1) {
|
|
||||||
+ x1 = xy[i + i];
|
|
||||||
+ }
|
|
||||||
+ if (xy[i + i + 1] < y0) {
|
|
||||||
+ y0 = xy[i + i + 1];
|
|
||||||
+ }
|
|
||||||
+ if (xy[i + i + 1] > y1) {
|
|
||||||
+ y1 = xy[i + i + 1];
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
return Py_BuildValue("dddd", x0, y0, x1, y1);
|
|
@ -1,41 +0,0 @@
|
|||||||
diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
|
|
||||||
index 2329b74..d3b7ba3 100644
|
|
||||||
--- a/Tests/test_imagemath.py
|
|
||||||
+++ b/Tests/test_imagemath.py
|
|
||||||
@@ -58,6 +58,12 @@ class TestImageMath(PillowTestCase):
|
|
||||||
self.assertEqual(pixel(
|
|
||||||
ImageMath.eval("float(B)**33", images)), "F 8589934592.0")
|
|
||||||
|
|
||||||
+ def test_prevent_exec(self):
|
|
||||||
+ self.assertRaises(ValueError, ImageMath.eval("exec('pass')"))
|
|
||||||
+ self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('pass'))()"))
|
|
||||||
+ self.assertRaises(ValueError, ImageMath.eval("(lambda: (lambda: exec('pass'))())()"))
|
|
||||||
+
|
|
||||||
+
|
|
||||||
def test_logical(self):
|
|
||||||
self.assertEqual(pixel(ImageMath.eval("not A", images)), 0)
|
|
||||||
self.assertEqual(pixel(ImageMath.eval("A and B", images)), "L 2")
|
|
||||||
diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
|
|
||||||
index c5bea70..13839e4 100644
|
|
||||||
--- a/src/PIL/ImageMath.py
|
|
||||||
+++ b/src/PIL/ImageMath.py
|
|
||||||
@@ -263,7 +263,18 @@ def eval(expression, _dict={}, **kw):
|
|
||||||
if hasattr(v, "im"):
|
|
||||||
args[k] = _Operand(v)
|
|
||||||
|
|
||||||
- out = builtins.eval(expression, args)
|
|
||||||
+ compiled_code = compile(expression, "<string>", "eval")
|
|
||||||
+ def scan(code):
|
|
||||||
+ for const in code.co_consts:
|
|
||||||
+ if type(const) == type(compiled_code):
|
|
||||||
+ scan(const)
|
|
||||||
+
|
|
||||||
+ for name in code.co_names:
|
|
||||||
+ if name not in args and name != "abs":
|
|
||||||
+ raise ValueError(f"'{name}' not allowed")
|
|
||||||
+
|
|
||||||
+ scan(compiled_code)
|
|
||||||
+ out = builtins.eval(expression, {"__builtins": {"abs": abs}}, args)
|
|
||||||
try:
|
|
||||||
return out.im
|
|
||||||
except AttributeError:
|
|
@ -1,91 +0,0 @@
|
|||||||
From fc055dbef875b477c27196e10c61f98aeb23d62c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lumir Balhar <lbalhar@redhat.com>
|
|
||||||
Date: Fri, 10 Nov 2023 15:39:41 +0100
|
|
||||||
Subject: [PATCH] CVE-2023-44271
|
|
||||||
|
|
||||||
---
|
|
||||||
docs/reference/ImageFont.rst | 9 +++++++++
|
|
||||||
src/PIL/ImageFont.py | 12 ++++++++++++
|
|
||||||
2 files changed, 21 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/docs/reference/ImageFont.rst b/docs/reference/ImageFont.rst
|
|
||||||
index 76fde44..21b9d9d 100644
|
|
||||||
--- a/docs/reference/ImageFont.rst
|
|
||||||
+++ b/docs/reference/ImageFont.rst
|
|
||||||
@@ -17,6 +17,15 @@ OpenType fonts (as well as other font formats supported by the FreeType
|
|
||||||
library). For earlier versions, TrueType support is only available as part of
|
|
||||||
the imToolkit package
|
|
||||||
|
|
||||||
+.. warning::
|
|
||||||
+ To protect against potential DOS attacks when using arbitrary strings as
|
|
||||||
+ text input, Pillow will raise a ``ValueError`` if the number of characters
|
|
||||||
+ is over a certain limit, :py:data:`MAX_STRING_LENGTH`.
|
|
||||||
+
|
|
||||||
+ This threshold can be changed by setting
|
|
||||||
+ :py:data:`MAX_STRING_LENGTH`. It can be disabled by setting
|
|
||||||
+ ``ImageFont.MAX_STRING_LENGTH = None``.
|
|
||||||
+
|
|
||||||
Example
|
|
||||||
-------
|
|
||||||
|
|
||||||
diff --git a/src/PIL/ImageFont.py b/src/PIL/ImageFont.py
|
|
||||||
index f3b55e0..7e7b62f 100644
|
|
||||||
--- a/src/PIL/ImageFont.py
|
|
||||||
+++ b/src/PIL/ImageFont.py
|
|
||||||
@@ -39,6 +39,8 @@ class _imagingft_not_installed(object):
|
|
||||||
def __getattr__(self, id):
|
|
||||||
raise ImportError("The _imagingft C module is not installed")
|
|
||||||
|
|
||||||
+MAX_STRING_LENGTH = 1_000_000
|
|
||||||
+
|
|
||||||
|
|
||||||
try:
|
|
||||||
from . import _imagingft as core
|
|
||||||
@@ -46,6 +48,12 @@ except ImportError:
|
|
||||||
core = _imagingft_not_installed()
|
|
||||||
|
|
||||||
|
|
||||||
+def _string_length_check(text):
|
|
||||||
+ if MAX_STRING_LENGTH is not None and len(text) > MAX_STRING_LENGTH:
|
|
||||||
+ msg = "too many characters in string"
|
|
||||||
+ raise ValueError(msg)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
# FIXME: add support for pilfont2 format (see FontFile.py)
|
|
||||||
|
|
||||||
# --------------------------------------------------------------------
|
|
||||||
@@ -109,6 +117,7 @@ class ImageFont(object):
|
|
||||||
self.font = Image.core.font(image.im, data)
|
|
||||||
|
|
||||||
def getsize(self, text, *args, **kwargs):
|
|
||||||
+ _string_length_check(text)
|
|
||||||
return self.font.getsize(text)
|
|
||||||
|
|
||||||
def getmask(self, text, mode="", *args, **kwargs):
|
|
||||||
@@ -154,6 +163,7 @@ class FreeTypeFont(object):
|
|
||||||
return self.font.ascent, self.font.descent
|
|
||||||
|
|
||||||
def getsize(self, text, direction=None, features=None):
|
|
||||||
+ _string_length_check(text)
|
|
||||||
size, offset = self.font.getsize(text, direction, features)
|
|
||||||
return (size[0] + offset[0], size[1] + offset[1])
|
|
||||||
|
|
||||||
@@ -164,6 +174,7 @@ class FreeTypeFont(object):
|
|
||||||
return self.getmask2(text, mode, direction=direction, features=features)[0]
|
|
||||||
|
|
||||||
def getmask2(self, text, mode="", fill=Image.core.fill, direction=None, features=None, *args, **kwargs):
|
|
||||||
+ _string_length_check(text)
|
|
||||||
size, offset = self.font.getsize(text, direction, features)
|
|
||||||
im = fill("L", size, 0)
|
|
||||||
self.font.render(text, im.id, mode == "1", direction, features)
|
|
||||||
@@ -205,6 +216,7 @@ class TransposedFont(object):
|
|
||||||
self.orientation = orientation # any 'transpose' argument, or None
|
|
||||||
|
|
||||||
def getsize(self, text, *args, **kwargs):
|
|
||||||
+ _string_length_check(text)
|
|
||||||
w, h = self.font.getsize(text)
|
|
||||||
if self.orientation in (Image.ROTATE_90, Image.ROTATE_270):
|
|
||||||
return h, w
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,46 +0,0 @@
|
|||||||
From 5c3db10f7a9cafd9b2d145a40864a445b2ee6edc Mon Sep 17 00:00:00 2001
|
|
||||||
From: Eric Soroos <eric-github@soroos.net>
|
|
||||||
Date: Thu, 25 Jan 2024 13:23:56 +0100
|
|
||||||
Subject: [PATCH] Don't allow __ or builtins in env dictionarys for
|
|
||||||
ImageMath.eval
|
|
||||||
|
|
||||||
---
|
|
||||||
Tests/test_imagemath.py | 5 +++++
|
|
||||||
src/PIL/ImageMath.py | 5 +++++
|
|
||||||
2 files changed, 10 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
|
|
||||||
index d3b7ba3..2467078 100644
|
|
||||||
--- a/Tests/test_imagemath.py
|
|
||||||
+++ b/Tests/test_imagemath.py
|
|
||||||
@@ -63,6 +63,11 @@ class TestImageMath(PillowTestCase):
|
|
||||||
self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('pass'))()"))
|
|
||||||
self.assertRaises(ValueError, ImageMath.eval("(lambda: (lambda: exec('pass'))())()"))
|
|
||||||
|
|
||||||
+ def test_prevent_double_underscores(self):
|
|
||||||
+ self.assertRaises(ValueError, ImageMath.eval("1", {"__": None}))
|
|
||||||
+
|
|
||||||
+ def test_prevent_builtins(self):
|
|
||||||
+ self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None}))
|
|
||||||
|
|
||||||
def test_logical(self):
|
|
||||||
self.assertEqual(pixel(ImageMath.eval("not A", images)), 0)
|
|
||||||
diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
|
|
||||||
index 13839e4..94108cf 100644
|
|
||||||
--- a/src/PIL/ImageMath.py
|
|
||||||
+++ b/src/PIL/ImageMath.py
|
|
||||||
@@ -257,6 +257,11 @@ def eval(expression, _dict={}, **kw):
|
|
||||||
|
|
||||||
# build execution namespace
|
|
||||||
args = ops.copy()
|
|
||||||
+ for k in list(_dict.keys()) + list(kw.keys()):
|
|
||||||
+ if "__" in k or hasattr(builtins, k):
|
|
||||||
+ msg = f"'{k}' not allowed"
|
|
||||||
+ raise ValueError(msg)
|
|
||||||
+
|
|
||||||
args.update(_dict)
|
|
||||||
args.update(kw)
|
|
||||||
for k, v in list(args.items()):
|
|
||||||
--
|
|
||||||
2.43.0
|
|
||||||
|
|
@ -1,38 +0,0 @@
|
|||||||
From 2d30e67ec0b77993de62f975aae29266d8d1f784 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lumir Balhar <lbalhar@redhat.com>
|
|
||||||
Date: Thu, 4 Apr 2024 13:01:56 +0200
|
|
||||||
Subject: [PATCH] CVE-2024-28219
|
|
||||||
|
|
||||||
---
|
|
||||||
src/_imagingcms.c | 8 ++++----
|
|
||||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/_imagingcms.c b/src/_imagingcms.c
|
|
||||||
index 5e4196c..4169e28 100644
|
|
||||||
--- a/src/_imagingcms.c
|
|
||||||
+++ b/src/_imagingcms.c
|
|
||||||
@@ -212,8 +212,8 @@ cms_transform_new(cmsHTRANSFORM transform, char* mode_in, char* mode_out)
|
|
||||||
|
|
||||||
self->transform = transform;
|
|
||||||
|
|
||||||
- strcpy(self->mode_in, mode_in);
|
|
||||||
- strcpy(self->mode_out, mode_out);
|
|
||||||
+ strncpy(self->mode_in, mode_in, 8);
|
|
||||||
+ strncpy(self->mode_out, mode_out, 8);
|
|
||||||
|
|
||||||
return (PyObject*) self;
|
|
||||||
}
|
|
||||||
@@ -286,8 +286,8 @@ findLCMStype(char* PILmode)
|
|
||||||
}
|
|
||||||
|
|
||||||
else {
|
|
||||||
- /* take a wild guess... but you probably should fail instead. */
|
|
||||||
- return TYPE_GRAY_8; /* so there's no buffer overrun... */
|
|
||||||
+ /* take a wild guess... */
|
|
||||||
+ return TYPE_GRAY_8;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -1,667 +0,0 @@
|
|||||||
%global py3_incdir %(python3 -c 'import distutils.sysconfig; print(distutils.sysconfig.get_python_inc())')
|
|
||||||
%global py3_libbuilddir %(python3 -c 'import sys; import sysconfig; print("lib.{p}-{v[0]}.{v[1]}".format(p=sysconfig.get_platform(), v=sys.version_info))')
|
|
||||||
|
|
||||||
%global srcname pillow
|
|
||||||
# bootstrap building docs (pillow is required by docutils, docutils are
|
|
||||||
# required by sphinx; pillow build-requires sphinx)
|
|
||||||
%global with_docs 1
|
|
||||||
|
|
||||||
Name: python-%{srcname}
|
|
||||||
Version: 5.1.1
|
|
||||||
Release: 21%{?dist}
|
|
||||||
Summary: Python image processing library
|
|
||||||
|
|
||||||
# License: see http://www.pythonware.com/products/pil/license.htm
|
|
||||||
License: MIT
|
|
||||||
URL: http://python-pillow.github.io/
|
|
||||||
Source0: https://github.com/python-pillow/Pillow/archive/%{version}/Pillow-%{version}.tar.gz
|
|
||||||
Patch0: 0001-Fix-potential-un-terminated-buffer-problem-CWE-120.patch
|
|
||||||
Patch1: 0002-Fix-potential-leaked-storage-issues-CWE-772.patch
|
|
||||||
Patch2: 0003-Fix-dereferencing-type-punned-pointer.patch
|
|
||||||
# Combined fixes for CVE-2020-5312 improperly restricted operations on memory buffer in libImaging/PcxDecode.c
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1789533
|
|
||||||
# https://github.com/python-pillow/Pillow/commit/93b22b846e0269ee9594ff71a72bec02d2bea8fd
|
|
||||||
# and for CVE-2019-16865 reading specially crafted image files leads to allocation of large amounts of memory and denial of service
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1774066
|
|
||||||
# https://github.com/python-pillow/Pillow/commit/cc16025e234b7a7a4dd3a86d2fdc0980698db9cc
|
|
||||||
# https://github.com/python-pillow/Pillow/commit/b36c1bc943d554ba223086c7efb502d080f73905
|
|
||||||
# https://github.com/python-pillow/Pillow/commit/f228d0ccbf6bf9392d7fcd51356ef2cfda80c75a
|
|
||||||
# https://github.com/python-pillow/Pillow/commit/b9693a51c99c260bd66d1affeeab4a226cf7e5a5
|
|
||||||
Patch3: CVE-2020-5312_CVE-2019-16865.patch
|
|
||||||
# Fix for CVE-2020-5311 - out-of-bounds write in expandrow in libImaging/SgiRleDecode.c
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1789535
|
|
||||||
# https://github.com/python-pillow/Pillow/commit/a79b65c47c7dc6fe623aadf09aa6192fc54548f3
|
|
||||||
Patch4: CVE-2020-5311.patch
|
|
||||||
# CVE-2020-5313 out-of-bounds read in ImagingFliDecode when loading FLI images
|
|
||||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/a09acd0decd8a87ccce939d5ff65dab59e7d365b?patch
|
|
||||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1789532
|
|
||||||
Patch5: CVE-2020-5313.patch
|
|
||||||
# CVE-2020-11538 out-of-bounds reads/writes in the parsing of SGI image files in expandrow/expandrow2
|
|
||||||
# Upstream fix: https://github.com/python-pillow/Pillow/pull/4504/
|
|
||||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1852814
|
|
||||||
Patch6: CVE-2020-11538.patch
|
|
||||||
# CVE-2020-35653 decoding a crafted PCX file could result in buffer over-read
|
|
||||||
# Note that there is a wrong CVE number in the commit msg
|
|
||||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/2f409261eb1228e166868f8f0b5da5cda52e55bf
|
|
||||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1915432
|
|
||||||
Patch7: CVE-2020-35653.patch
|
|
||||||
# CVE-2020-35655 decoding crafted SGI RLE image files could result in buffer over-read
|
|
||||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/120eea2e4547a7d1826afdf01563035844f0b7d5
|
|
||||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-35653
|
|
||||||
Patch8: CVE-2020-35655.patch
|
|
||||||
# CVE-2021-25290 negative-offset memcpy with an invalid size in TiffDecode.c
|
|
||||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/86f02f7c70862a0954bfe8133736d352db978eaa
|
|
||||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1934685
|
|
||||||
Patch9: CVE-2021-25290.patch
|
|
||||||
# CVE-2021-25292 backtracking regex in PDF parser could be used as a DOS attack
|
|
||||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/3bce145966374dd39ce58a6fc0083f8d1890719c
|
|
||||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-25292
|
|
||||||
Patch10: CVE-2021-25292.patch
|
|
||||||
# CVE-2021-25293 out-of-bounds read in SGIRleDecode.c
|
|
||||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/4853e522bddbec66022c0915b9a56255d0188bf9
|
|
||||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-25293
|
|
||||||
Patch11: CVE-2021-25293.patch
|
|
||||||
# CVE-2021-27921 reported size of a contained image is not properly checked for a BLP container
|
|
||||||
# CVE-2021-27922 reported size of a contained image is not properly checked for an ICNS container
|
|
||||||
# CVE-2021-27923 reported size of a contained image is not properly checked for an ICO container
|
|
||||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/480f6819b592d7f07b9a9a52a7656c10bbe07442
|
|
||||||
# Tracking bugs:
|
|
||||||
# - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-27921
|
|
||||||
# - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-27922
|
|
||||||
# - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-27923
|
|
||||||
Patch12: CVE-2021-27921_27922_27923.patch
|
|
||||||
# CVE-2021-25288 and 25287 out-of-bounds read in J2kDecode in j2ku_gray_i and j2ku_graya_la
|
|
||||||
# Upstream fixes this patch combines:
|
|
||||||
# - Original fix for the CVEs: https://github.com/python-pillow/Pillow/commit/3bf5eddb89afdf690eceaa52bc4d3546ba9a5f87
|
|
||||||
# - Older commit the fix is based on: https://github.com/python-pillow/Pillow/commit/cf6da6b79080a8c16984102fdc85f7ce28dca613
|
|
||||||
# Tracking bugs:
|
|
||||||
# - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-25287
|
|
||||||
# - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-25288
|
|
||||||
Patch13: CVE-2021-25287_25288.patch
|
|
||||||
# CVE-2021-28675 DoS in PsdImagePlugin
|
|
||||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/22e9bee4ef225c0edbb9323f94c26cee0c623497
|
|
||||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-28675
|
|
||||||
Patch14: CVE-2021-28675.patch
|
|
||||||
# CVE-2021-28676 infinite loop in FliDecode.c can lead to DoS
|
|
||||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/bb6c11fb889e6c11b0ee122b828132ee763b5856
|
|
||||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-28676
|
|
||||||
Patch15: CVE-2021-28676.patch
|
|
||||||
# CVE-2021-28677 DoS in the open phase via a malicious EPS file
|
|
||||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/5a5e6db0abf4e7a638fb1b3408c4e495a096cb92
|
|
||||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-28677
|
|
||||||
Patch16: CVE-2021-28677.patch
|
|
||||||
# CVE-2021-28678 improper check in BlpImagePlugin can lead to DoS
|
|
||||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/496245aa4365d0827390bd0b6fbd11287453b3a1
|
|
||||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-28678
|
|
||||||
Patch17: CVE-2021-28678.patch
|
|
||||||
# CVE-2021-34552: buffer overflow in Convert.c because it allow an attacker to pass
|
|
||||||
# controlled parameters directly into a convert function
|
|
||||||
# Upstream fix: https://github.com/python-pillow/Pillow/pull/5567
|
|
||||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1982378
|
|
||||||
Patch18: CVE-2021-34552.patch
|
|
||||||
# CVE-2022-22817: PIL.ImageMath.eval allows evaluation of arbitrary expressions
|
|
||||||
# Upstream fixes:
|
|
||||||
# https://github.com/python-pillow/Pillow/commit/8531b01d6cdf0b70f256f93092caa2a5d91afc11
|
|
||||||
# https://github.com/python-pillow/Pillow/commit/f84ab3bb8a0a196a52e8a76bebed2853362629de
|
|
||||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2042527
|
|
||||||
Patch19: CVE-2022-22817.patch
|
|
||||||
# CVE-2022-22815 python-pillow: improperly initializes ImagePath.Path in path_getbbox() in path.c
|
|
||||||
# CVE-2022-22816 python-pillow: buffer over-read during initialization of ImagePath.Path in path_getbbox() in path.c
|
|
||||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/5543e4e2d409cd9e409bc64cdc77be0af007a31f
|
|
||||||
# Memory issue fix: https://github.com/python-pillow/Pillow/pull/5958
|
|
||||||
# Tracking bugs:
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2042511
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2042522
|
|
||||||
Patch20: CVE-2022-22815_CVE-2022-22816.patch
|
|
||||||
# CVE-2023-44271 python-pillow: uncontrolled resource consumption when textlength
|
|
||||||
# in an ImageDraw instance operates on a long text argument
|
|
||||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
|
|
||||||
Patch21: CVE-2023-44271.patch
|
|
||||||
# CVE-2023-50447 python-pillow: pillow:Arbitrary Code Execution via the environment parameter
|
|
||||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/02c6183d41c68a8dd080f5739f566bd82485822d
|
|
||||||
# Patch rebased and tests converted from pytest to unittests.
|
|
||||||
Patch22: CVE-2023-50447.patch
|
|
||||||
# CVE-2024-28219 python-pillow: buffer overflow in _imagingcms.c
|
|
||||||
# Upstream fix: https://github.com/python-pillow/Pillow/pull/7928
|
|
||||||
# Patch rebased. The test requires a binary file and therefore isn't backported.
|
|
||||||
Patch23: CVE-2024-28219.patch
|
|
||||||
|
|
||||||
BuildRequires: freetype-devel
|
|
||||||
BuildRequires: gcc
|
|
||||||
BuildRequires: ghostscript
|
|
||||||
BuildRequires: lcms2-devel
|
|
||||||
BuildRequires: libjpeg-devel
|
|
||||||
BuildRequires: libtiff-devel
|
|
||||||
BuildRequires: libwebp-devel
|
|
||||||
BuildRequires: openjpeg2-devel
|
|
||||||
BuildRequires: tk-devel
|
|
||||||
BuildRequires: zlib-devel
|
|
||||||
|
|
||||||
BuildRequires: python3-cffi
|
|
||||||
BuildRequires: python3-devel
|
|
||||||
BuildRequires: python3-numpy
|
|
||||||
BuildRequires: python3-setuptools
|
|
||||||
%if 0%{?with_docs}
|
|
||||||
BuildRequires: python3-sphinx
|
|
||||||
BuildRequires: python3-sphinx_rtd_theme
|
|
||||||
%endif # with_docs
|
|
||||||
BuildRequires: python3-tkinter
|
|
||||||
|
|
||||||
# For EpsImagePlugin.py
|
|
||||||
Requires: ghostscript
|
|
||||||
|
|
||||||
%global __provides_exclude_from ^%{python3_sitearch}/PIL/.*\\.so$
|
|
||||||
|
|
||||||
%description
|
|
||||||
Python image processing library, fork of the Python Imaging Library (PIL)
|
|
||||||
|
|
||||||
This library provides extensive file format support, an efficient
|
|
||||||
internal representation, and powerful image processing capabilities.
|
|
||||||
|
|
||||||
There are these subpackages: tk (tk interface),
|
|
||||||
devel (development) and doc (documentation).
|
|
||||||
|
|
||||||
|
|
||||||
%package -n python3-%{srcname}
|
|
||||||
Summary: Python 3 image processing library
|
|
||||||
%{?python_provide:%python_provide python3-%{srcname}}
|
|
||||||
Provides: python3-imaging = %{version}-%{release}
|
|
||||||
# For MicImagePlugin.py, FpxImagePlugin.py
|
|
||||||
|
|
||||||
%description -n python3-%{srcname}
|
|
||||||
Python image processing library, fork of the Python Imaging Library (PIL)
|
|
||||||
|
|
||||||
This library provides extensive file format support, an efficient
|
|
||||||
internal representation, and powerful image processing capabilities.
|
|
||||||
|
|
||||||
There are these subpackages: tk (tk interface),
|
|
||||||
devel (development) and doc (documentation).
|
|
||||||
|
|
||||||
|
|
||||||
%package -n python3-%{srcname}-devel
|
|
||||||
Summary: Development files for %{srcname}
|
|
||||||
Requires: python3-devel, libjpeg-devel, zlib-devel
|
|
||||||
Requires: python3-%{srcname}%{?_isa} = %{version}-%{release}
|
|
||||||
%{?python_provide:%python_provide python3-%{srcname}-devel}
|
|
||||||
Provides: python3-imaging-devel = %{version}-%{release}
|
|
||||||
|
|
||||||
%description -n python3-%{srcname}-devel
|
|
||||||
Development files for %{srcname}.
|
|
||||||
|
|
||||||
|
|
||||||
%package -n python3-%{srcname}-doc
|
|
||||||
Summary: Documentation for %{srcname}
|
|
||||||
BuildArch: noarch
|
|
||||||
Requires: python3-%{srcname} = %{version}-%{release}
|
|
||||||
%{?python_provide:%python_provide python3-%{srcname}-doc}
|
|
||||||
Provides: python3-imaging-doc = %{version}-%{release}
|
|
||||||
|
|
||||||
%description -n python3-%{srcname}-doc
|
|
||||||
Documentation for %{srcname}.
|
|
||||||
|
|
||||||
|
|
||||||
%package -n python3-%{srcname}-tk
|
|
||||||
Summary: Tk interface for %{srcname}
|
|
||||||
Requires: python3-tkinter
|
|
||||||
Requires: python3-%{srcname}%{?_isa} = %{version}-%{release}
|
|
||||||
%{?python_provide:%python_provide python3-%{srcname}-tk}
|
|
||||||
Provides: python3-imaging-tk = %{version}-%{release}
|
|
||||||
|
|
||||||
%description -n python3-%{srcname}-tk
|
|
||||||
Tk interface for %{name}.
|
|
||||||
|
|
||||||
|
|
||||||
%prep
|
|
||||||
%autosetup -p1 -n Pillow-%{version}
|
|
||||||
|
|
||||||
|
|
||||||
%build
|
|
||||||
%py3_build
|
|
||||||
|
|
||||||
%if 0%{?with_docs}
|
|
||||||
PYTHONPATH=$PWD/build/%py3_libbuilddir make -C docs html BUILDDIR=_build_py3 SPHINXBUILD=sphinx-build-%python3_version
|
|
||||||
rm -f docs/_build_py3/html/.buildinfo
|
|
||||||
%endif # with_docs
|
|
||||||
|
|
||||||
|
|
||||||
%install
|
|
||||||
install -d %{buildroot}/%{py3_incdir}/Imaging
|
|
||||||
install -m 644 src/libImaging/*.h %{buildroot}/%{py3_incdir}/Imaging
|
|
||||||
%py3_install
|
|
||||||
|
|
||||||
|
|
||||||
%check
|
|
||||||
ln -s $PWD/Images $PWD/build/%py3_libbuilddir/Images
|
|
||||||
cp -R $PWD/Tests $PWD/build/%py3_libbuilddir/Tests
|
|
||||||
cp -R $PWD/selftest.py $PWD/build/%py3_libbuilddir/selftest.py
|
|
||||||
pushd build/%py3_libbuilddir
|
|
||||||
PYTHONPATH=$PWD %{__python3} selftest.py
|
|
||||||
popd
|
|
||||||
|
|
||||||
|
|
||||||
%files -n python3-%{srcname}
|
|
||||||
%doc README.rst CHANGES.rst
|
|
||||||
%license docs/COPYING
|
|
||||||
%{python3_sitearch}/*
|
|
||||||
# These are in subpackages
|
|
||||||
%exclude %{python3_sitearch}/PIL/_imagingtk*
|
|
||||||
%exclude %{python3_sitearch}/PIL/ImageTk*
|
|
||||||
%exclude %{python3_sitearch}/PIL/SpiderImagePlugin*
|
|
||||||
%exclude %{python3_sitearch}/PIL/ImageQt*
|
|
||||||
%exclude %{python3_sitearch}/PIL/__pycache__/ImageTk*
|
|
||||||
%exclude %{python3_sitearch}/PIL/__pycache__/SpiderImagePlugin*
|
|
||||||
%exclude %{python3_sitearch}/PIL/__pycache__/ImageQt*
|
|
||||||
|
|
||||||
%files -n python3-%{srcname}-devel
|
|
||||||
%{py3_incdir}/Imaging/
|
|
||||||
|
|
||||||
%files -n python3-%{srcname}-doc
|
|
||||||
%if 0%{?with_docs}
|
|
||||||
%doc docs/_build_py3/html
|
|
||||||
%endif # with_docs
|
|
||||||
|
|
||||||
%files -n python3-%{srcname}-tk
|
|
||||||
%{python3_sitearch}/PIL/_imagingtk*
|
|
||||||
%{python3_sitearch}/PIL/ImageTk*
|
|
||||||
%{python3_sitearch}/PIL/SpiderImagePlugin*
|
|
||||||
%{python3_sitearch}/PIL/__pycache__/ImageTk*
|
|
||||||
%{python3_sitearch}/PIL/__pycache__/SpiderImagePlugin*
|
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
|
||||||
* Thu Apr 04 2024 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-21
|
|
||||||
- Security fix for CVE-2024-28219
|
|
||||||
Resolves: RHEL-31071
|
|
||||||
|
|
||||||
* Thu Jan 25 2024 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-20
|
|
||||||
- Security fix for CVE-2023-50447
|
|
||||||
Resolves: RHEL-22240
|
|
||||||
|
|
||||||
* Fri Nov 10 2023 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-19
|
|
||||||
- Security fix for CVE-2023-44271
|
|
||||||
Resolves: RHEL-15460
|
|
||||||
|
|
||||||
* Fri Feb 11 2022 Charalampos Stratakis <cstratak@redhat.com> - 5.1.1-18
|
|
||||||
- Fixup for CVE-2022-22817
|
|
||||||
- Security fixes for CVE-2022-22815, CVE-2022-22816
|
|
||||||
Resolves: rhbz#2042511, rhbz#2042522
|
|
||||||
|
|
||||||
* Fri Feb 04 2022 Charalampos Stratakis <cstratak@redhat.com> - 5.1.1-17
|
|
||||||
- Fix for CVE-2022-22817
|
|
||||||
Resolves: rhbz#2042527
|
|
||||||
|
|
||||||
* Mon Aug 02 2021 Charalampos Stratakis <cstratak@redhat.com> - 5.1.1-16
|
|
||||||
- Fix for CVE-2021-34552
|
|
||||||
Resolves: rhbz#1982378
|
|
||||||
|
|
||||||
* Mon Jun 14 2021 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-15
|
|
||||||
- Fixes for CVE-2021-25288, CVE-2021-25287, CVE-2021-28675, CVE-2021-28676,
|
|
||||||
CVE-2021-28677 and CVE-2021-28678
|
|
||||||
Resolves: rhbz#1958231, rhbz#1958226, rhbz#1958240, rhbz#1958252, rhbz#1958257, rhbz#1958263
|
|
||||||
|
|
||||||
* Fri Apr 09 2021 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-14
|
|
||||||
- Fixes for CVE-2021-25290, CVE-2021-25292, CVE-2021-25293, CVE-2021-27921
|
|
||||||
CVE-2021-27922, and CVE-2021-27923
|
|
||||||
Resolves: rhbz#1934685 rhbz#1934699 rhbz#1934705 rhbz#1935384 rhbz#1935396 rhbz#1935401
|
|
||||||
|
|
||||||
* Thu Feb 18 2021 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-13
|
|
||||||
- Fixes for CVE-2020-35653 and CVE-2020-35655
|
|
||||||
Resolves: rhbz#1915420 rhbz#1915432
|
|
||||||
|
|
||||||
* Mon Jul 13 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-12
|
|
||||||
- Fix for CVE-2020-11538
|
|
||||||
Resolves: rhbz#1852814
|
|
||||||
|
|
||||||
* Wed Mar 04 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-11
|
|
||||||
- Fix for CVE-2020-5313
|
|
||||||
Resolves: rhbz#1789532
|
|
||||||
|
|
||||||
* Mon Feb 17 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-10
|
|
||||||
- Bump and rebuild for gating to deliver CVE fixes
|
|
||||||
Resolves: rhbz#1789535
|
|
||||||
|
|
||||||
* Mon Feb 17 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-9
|
|
||||||
- Fix for CVE-2020-5311 - out-of-bounds write in expandrow
|
|
||||||
Resolves: rhbz#1789535
|
|
||||||
|
|
||||||
* Fri Feb 14 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-8
|
|
||||||
- Combined fixes for CVE-2020-5312 and CVE-2019-16865
|
|
||||||
Resolves: rhbz#1789533
|
|
||||||
Resolves: rhbz#1774066
|
|
||||||
|
|
||||||
* Tue Nov 27 2018 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-7
|
|
||||||
- Add upstream patch to solve build-time warning
|
|
||||||
- Move patches to dist-git
|
|
||||||
- Resolves: rhbz#1639348
|
|
||||||
|
|
||||||
* Mon Oct 15 2018 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-6
|
|
||||||
- Add patches to fix issues found by static code analysis
|
|
||||||
- Resolves: rhbz#1602669
|
|
||||||
|
|
||||||
* Wed Jun 27 2018 Petr Viktorin <pviktori@redhat.com> - 5.1.1-5
|
|
||||||
- Correct dependency on python3-tkinter
|
|
||||||
|
|
||||||
* Tue Jun 19 2018 Petr Viktorin <pviktori@redhat.com> - 5.1.1-4
|
|
||||||
- Drop dependency on python3-olefile (breaking MicImagePlugin.py, FpxImagePlugin)
|
|
||||||
|
|
||||||
* Thu Jun 14 2018 Petr Viktorin <pviktori@redhat.com> - 5.1.1-3
|
|
||||||
- Remove the Python 2 subpackage
|
|
||||||
- Remove the libimagequant dependency
|
|
||||||
The imagequant library was only used to support a non-default image
|
|
||||||
quantization mode.
|
|
||||||
|
|
||||||
* Thu May 31 2018 Petr Viktorin <pviktori@redhat.com> - 5.1.1-2
|
|
||||||
- Remove the python2 version of docs
|
|
||||||
- Remove Qt subpackages
|
|
||||||
- Drop dependency on python2-olefile (breaking MicImagePlugin.py, FpxImagePlugin)
|
|
||||||
|
|
||||||
* Wed Apr 25 2018 Sandro Mani <manisandro@gmail.com> - 5.1.1-1
|
|
||||||
- Update to 5.1.1
|
|
||||||
|
|
||||||
* Thu Apr 05 2018 Sandro Mani <manisandro@gmail.com> - 5.1.0-1
|
|
||||||
- Update to 5.1.0
|
|
||||||
|
|
||||||
* Wed Mar 07 2018 Sandro Mani <manisandro@gmail.com> - 5.0.0-3
|
|
||||||
- Add missing BR: gcc
|
|
||||||
|
|
||||||
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.0.0-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
|
||||||
|
|
||||||
* Wed Jan 03 2018 Sandro Mani <manisandro@gmail.com> - 5.0.0-1
|
|
||||||
- Update to 5.0.0
|
|
||||||
|
|
||||||
* Tue Oct 03 2017 Sandro Mani <manisandro@gmail.com> - 4.3.0-1
|
|
||||||
- Update to 4.3.0
|
|
||||||
|
|
||||||
* Tue Sep 05 2017 Troy Dawson <tdawson@redhat.com> - 4.2.1-5
|
|
||||||
- Cleanup spec file conditionals
|
|
||||||
|
|
||||||
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.2.1-4
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
|
||||||
|
|
||||||
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.2.1-3
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
|
||||||
|
|
||||||
* Fri Jul 07 2017 Igor Gnatenko <ignatenko@redhat.com> - 4.2.1-2
|
|
||||||
- Rebuild due to bug in RPM (RHBZ #1468476)
|
|
||||||
|
|
||||||
* Thu Jul 06 2017 Sandro Mani <manisandro@gmail.com> - 4.2.1-1
|
|
||||||
- Update to 4.2.1
|
|
||||||
|
|
||||||
* Sat Jul 01 2017 Sandro Mani <manisandro@gmail.com> - 4.2.0-1
|
|
||||||
- Update to 4.2.0
|
|
||||||
|
|
||||||
* Fri Apr 28 2017 Sandro Mani <manisandro@gmail.com> - 4.1.1-1
|
|
||||||
- Update to 4.1.1
|
|
||||||
|
|
||||||
* Wed Apr 05 2017 Sandro Mani <manisandro@gmail.com> - 4.1.0-1
|
|
||||||
- Update to 4.1.0
|
|
||||||
|
|
||||||
* Wed Feb 15 2017 Sandro Mani <manisandro@gmail.com> - 4.0.0-3
|
|
||||||
- Fix some __pycache__ files in wrong subpackage (#1422606)
|
|
||||||
|
|
||||||
* Wed Feb 01 2017 Sandro Mani <manisandro@gmail.com> - 4.0.0-2
|
|
||||||
- Rebuild (libwebp)
|
|
||||||
|
|
||||||
* Tue Jan 03 2017 Sandro Mani <manisandro@gmail.com> - 4.0.0-1
|
|
||||||
- Update to 4.0.0
|
|
||||||
|
|
||||||
* Mon Dec 12 2016 Miro Hrončok <mhroncok@redhat.com> - 3.4.2-3
|
|
||||||
- Enable docs build
|
|
||||||
|
|
||||||
* Mon Dec 12 2016 Miro Hrončok <mhroncok@redhat.com> - 3.4.2-2
|
|
||||||
- Rebuild for Python 3.6
|
|
||||||
|
|
||||||
* Wed Oct 19 2016 Sandro Mani <manisandro@gmail.com> - 3.4.2-1
|
|
||||||
- Update to 3.4.2
|
|
||||||
|
|
||||||
* Tue Oct 04 2016 Sandro Mani <manisandro@gmail.com> - 3.4.1-1
|
|
||||||
- Update to 3.4.1
|
|
||||||
|
|
||||||
* Mon Oct 03 2016 Sandro Mani <manisandro@gmail.com> - 3.4.0-1
|
|
||||||
- Update to 3.4.0
|
|
||||||
|
|
||||||
* Thu Aug 18 2016 Sandro Mani <manisandro@gmail.com> - 3.3.1-1
|
|
||||||
- Update to 3.3.1
|
|
||||||
|
|
||||||
* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.3.0-2
|
|
||||||
- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
|
|
||||||
|
|
||||||
* Sat Jul 02 2016 Sandro Mani <manisandro@gmail.com> - 3.3.0-1
|
|
||||||
- Update to 3.3.0
|
|
||||||
- Modernize spec
|
|
||||||
|
|
||||||
* Fri Apr 01 2016 Sandro Mani <manisandro@gmail.com> - 3.2.0-1
|
|
||||||
- Update to 3.2.0
|
|
||||||
|
|
||||||
* Wed Feb 10 2016 Sandro Mani <manisandro@gmail.com> - 3.1.1-3
|
|
||||||
- Fix broken python3-pillow package description
|
|
||||||
|
|
||||||
* Sun Feb 07 2016 Igor Gnatenko <i.gnatenko.brain@gmail.com> - 3.1.1-2
|
|
||||||
- Fix provides
|
|
||||||
|
|
||||||
* Thu Feb 04 2016 Sandro Mani <manisandro@gmail.com> - 3.1.1-1
|
|
||||||
- Update to 3.1.1
|
|
||||||
- Fixes CVE-2016-0740, CVE-2016-0775
|
|
||||||
|
|
||||||
* Mon Jan 11 2016 Toshio Kuratomi <toshio@fedoraproject.org> - 3.1.0-2
|
|
||||||
- Fix executable files in doc package bringing in python 2 for the python3 doc
|
|
||||||
packages
|
|
||||||
|
|
||||||
* Mon Jan 04 2016 Sandro Mani <manisandro@gmail.com> - 3.1.0-1
|
|
||||||
- Update to 3.1.0
|
|
||||||
|
|
||||||
* Tue Dec 29 2015 Igor Gnatenko <i.gnatenko.brain@gmail.com> - 3.0.0-5
|
|
||||||
- Build with docs
|
|
||||||
|
|
||||||
* Mon Dec 28 2015 Igor Gnatenko <i.gnatenko.brain@gmail.com> - 3.0.0-4
|
|
||||||
- Rebuilt for libwebp soname bump
|
|
||||||
|
|
||||||
* Wed Oct 14 2015 Robert Kuska <rkuska@redhat.com> - 3.0.0-3
|
|
||||||
- Rebuilt for Python3.5 rebuild with docs
|
|
||||||
|
|
||||||
* Tue Oct 13 2015 Robert Kuska <rkuska@redhat.com> - 3.0.0-2
|
|
||||||
- Rebuilt for Python3.5 rebuild without docs
|
|
||||||
|
|
||||||
* Fri Oct 02 2015 Sandro Mani <manisandro@gmail.com> - 3.0.0-1
|
|
||||||
- Update to 3.0.0
|
|
||||||
|
|
||||||
* Wed Jul 29 2015 Sandro Mani <manisandro@gmail.com> - 2.9.0-2
|
|
||||||
- Fix python3-pillow-tk Requires: tkinter -> python3-tkinter (#1248085)
|
|
||||||
|
|
||||||
* Thu Jul 02 2015 Sandro Mani <manisandro@gmail.com> - 2.9.0-1
|
|
||||||
- Update to 2.9.0
|
|
||||||
|
|
||||||
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.8.2-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
|
||||||
|
|
||||||
* Mon Jun 08 2015 Sandro Mani <manisandro@gmail.com> - 2.8.2-1
|
|
||||||
- Update to 2.8.2
|
|
||||||
|
|
||||||
* Thu Apr 02 2015 Sandro Mani <manisandro@gmail.com> - 2.8.1-1
|
|
||||||
- Update to 2.8.1
|
|
||||||
|
|
||||||
* Wed Apr 01 2015 Sandro Mani <manisandro@gmail.com> - 2.8.0-1
|
|
||||||
- Update to 2.8.0
|
|
||||||
|
|
||||||
* Mon Jan 12 2015 Sandro Mani <manisandro@gmail.com> - 2.7.0-1
|
|
||||||
- Update to 2.7.0
|
|
||||||
- Drop sane subpackage, is in python-sane now
|
|
||||||
- Fix python3 headers directory
|
|
||||||
- Drop Obsoletes: python3-pillow on python3-pillow-qt
|
|
||||||
|
|
||||||
* Mon Oct 13 2014 Sandro Mani <manisandro@gmail.com> - 2.6.1-1
|
|
||||||
- Update to 2.6.1
|
|
||||||
|
|
||||||
* Thu Oct 02 2014 Sandro Mani <manisandro@gmail.com> - 2.6.0-1
|
|
||||||
- Update to 2.6.0
|
|
||||||
|
|
||||||
* Wed Aug 20 2014 Sandro Mani <manisandro@gmail.com> - 2.5.3-3
|
|
||||||
- Rebuilding again to resolve transient build error that caused BZ#1131723
|
|
||||||
|
|
||||||
* Tue Aug 19 2014 Stephen Gallagher <sgallagh@redhat.com> - 2.5.3-2
|
|
||||||
- Rebuilding to resolve transient build error that caused BZ#1131723
|
|
||||||
|
|
||||||
* Tue Aug 19 2014 Sandro Mani <manisandro@gmail.com> - 2.5.3-1
|
|
||||||
- Update to 2.5.3 (Fix CVE-2014-3598, a DOS in the Jpeg2KImagePlugin)
|
|
||||||
|
|
||||||
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.5.2-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
|
||||||
|
|
||||||
* Wed Aug 13 2014 Sandro Mani <manisandro@gmail.com> - 2.5.2-1
|
|
||||||
- Update to 2.5.2 (Fix CVE-2014-3589, a DOS in the IcnsImagePlugin)
|
|
||||||
|
|
||||||
* Sat Jul 26 2014 Sandro Mani <manisandro@gmail.com> - 2.5.1-2
|
|
||||||
- Reenable jpeg2k tests on big endian arches
|
|
||||||
|
|
||||||
* Tue Jul 15 2014 Sandro Mani <manisandro@gmail.com> - 2.5.1-1
|
|
||||||
- Update to 2.5.1
|
|
||||||
|
|
||||||
* Wed Jul 02 2014 Sandro Mani <manisandro@gmail.com> - 2.5.0-1
|
|
||||||
- Update to 2.5.0
|
|
||||||
|
|
||||||
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.0-11
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
|
||||||
|
|
||||||
* Wed May 28 2014 Sandro Mani <manisandro@gmail.com> - 2.4.0-10
|
|
||||||
- Rebuild with docs enabled
|
|
||||||
- Update python-pillow_openjpeg-2.1.0.patch
|
|
||||||
|
|
||||||
* Tue May 27 2014 Sandro Mani <manisandro@gmail.com> - 2.4.0-9
|
|
||||||
- Rebuild against openjpeg-2.1.0
|
|
||||||
|
|
||||||
* Fri May 23 2014 Dan Horák <dan[at]danny.cz> - 2.4.0-8
|
|
||||||
- skip jpeg2k tests on big endian arches (#1100762)
|
|
||||||
|
|
||||||
* Wed May 21 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.4.0-7
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Changes/f21tcl86
|
|
||||||
|
|
||||||
* Tue May 13 2014 Bohuslav Kabrda <bkabrda@redhat.com> - 2.4.0-6
|
|
||||||
- Set with_docs to 1 to build docs.
|
|
||||||
|
|
||||||
* Tue May 13 2014 Bohuslav Kabrda <bkabrda@redhat.com> - 2.4.0-5
|
|
||||||
- Bootstrap building sphinx docs because of circular dependency with sphinx.
|
|
||||||
|
|
||||||
* Fri May 9 2014 Orion Poplawski <orion@cora.nwra.com> - 2.4.0-4
|
|
||||||
- Rebuild for Python 3.4
|
|
||||||
|
|
||||||
* Tue Apr 22 2014 Sandro Mani <manisandro@gmail.com> - 2.4.0-3
|
|
||||||
- Add patch: Have the tempfile use a suffix with a dot
|
|
||||||
|
|
||||||
* Thu Apr 17 2014 Sandro Mani <manisandro@gmail.com> - 2.4.0-2
|
|
||||||
- Enable Jpeg2000 support
|
|
||||||
- Enable webp support also on s390* archs, bug #962091 is now fixed
|
|
||||||
- Add upstream patch for ghostscript detection
|
|
||||||
|
|
||||||
* Wed Apr 02 2014 Sandro Mani <manisandro@gmail.com> - 2.4.0-1
|
|
||||||
- Update to 2.4.0
|
|
||||||
|
|
||||||
* Wed Mar 19 2014 Sandro Mani <manisandro@gmail.com> - 2.3.1-1
|
|
||||||
- Update to 2.3.1 (Fix insecure use of tempfile.mktemp (CVE-2014-1932 CVE-2014-1933))
|
|
||||||
|
|
||||||
* Thu Mar 13 2014 Jakub Dorňák <jdornak@redhat.com> - 2.3.0-5
|
|
||||||
- python-pillow does not provide python3-imaging
|
|
||||||
(python3-pillow does)
|
|
||||||
|
|
||||||
* Tue Jan 07 2014 Sandro Mani <manisandro@gmail.com> - 2.3.0-4
|
|
||||||
- Add missing ghostscript Requires and BuildRequires
|
|
||||||
|
|
||||||
* Mon Jan 06 2014 Sandro Mani <manisandro@gmail.com> - 2.3.0-3
|
|
||||||
- Remove python-pillow_help-theme.patch, add python-sphinx-theme-better BR
|
|
||||||
|
|
||||||
* Sun Jan 05 2014 Sandro Mani <manisandro@gmail.com> - 2.3.0-2
|
|
||||||
- Rebuild with docs enabled
|
|
||||||
- Change lcms BR to lcms2
|
|
||||||
|
|
||||||
* Thu Jan 02 2014 Sandro Mani <manisandro@gmail.com> - 2.3.0-1
|
|
||||||
- Update to 2.3.0
|
|
||||||
- Build with doc disabled to break circular python-pillow -> python-sphinx -> python pillow dependency
|
|
||||||
|
|
||||||
* Wed Oct 23 2013 Sandro Mani <manisandro@gmail.com> - 2.2.1-2
|
|
||||||
- Backport fix for decoding tiffs with correct byteorder, fixes rhbz#1019656
|
|
||||||
|
|
||||||
* Wed Oct 02 2013 Sandro Mani <manisandro@gmail.com> - 2.2.1-1
|
|
||||||
- Update to 2.2.1
|
|
||||||
- Really enable webp on ppc, but leave disabled on s390
|
|
||||||
|
|
||||||
* Thu Aug 29 2013 Sandro Mani <manisandro@gmail.com> - 2.1.0-4
|
|
||||||
- Add patch to fix incorrect PyArg_ParseTuple tuple signature, fixes rhbz#962091 and rhbz#988767.
|
|
||||||
- Renable webp support on bigendian arches
|
|
||||||
|
|
||||||
* Wed Aug 28 2013 Sandro Mani <manisandro@gmail.com> - 2.1.0-3
|
|
||||||
- Add patch to fix memory corruption caused by invalid palette size, see rhbz#1001122
|
|
||||||
|
|
||||||
* Tue Jul 30 2013 Karsten Hopp <karsten@redhat.com> 2.1.0-2
|
|
||||||
- Build without webp support on ppc* archs (#988767)
|
|
||||||
|
|
||||||
* Wed Jul 03 2013 Sandro Mani <manisandro@gmail.com> - 2.1.0-1
|
|
||||||
- Update to 2.1.0
|
|
||||||
- Run tests in builddir, not installroot
|
|
||||||
- Build python3-pillow docs with python3
|
|
||||||
- python-pillow_endian.patch upstreamed
|
|
||||||
|
|
||||||
* Mon May 13 2013 Roman Rakus <rrakus@redhat.com> - 2.0.0-10
|
|
||||||
- Build without webp support on s390* archs
|
|
||||||
Resolves: rhbz#962059
|
|
||||||
|
|
||||||
* Sat May 11 2013 Roman Rakus <rrakus@redhat.com> - 2.0.0-9.gitd1c6db8
|
|
||||||
- Conditionaly disable build of python3 parts on RHEL system
|
|
||||||
|
|
||||||
* Wed May 08 2013 Sandro Mani <manisandro@gmail.com> - 2.0.0-8.gitd1c6db8
|
|
||||||
- Add patch to fix test failure on big-endian
|
|
||||||
|
|
||||||
* Thu Apr 25 2013 Toshio Kuratomi <toshio@fedoraproject.org> - 2.0.0-7.gitd1c6db8
|
|
||||||
- Remove Obsoletes in the python-pillow-qt subpackage. Obsoletes isn't
|
|
||||||
appropriate since qt support didn't exist in the previous python-pillow
|
|
||||||
package so there's no reason to drag in python-pillow-qt when updating
|
|
||||||
python-pillow.
|
|
||||||
|
|
||||||
* Fri Apr 19 2013 Sandro Mani <manisandro@gmail.com> - 2.0.0-6.gitd1c6db8
|
|
||||||
- Update to latest git
|
|
||||||
- python-pillow_quantization.patch now upstream
|
|
||||||
- python-pillow_endianness.patch now upstream
|
|
||||||
- Add subpackage for ImageQt module, with correct dependencies
|
|
||||||
- Add PyQt4 and numpy BR (for generating docs / running tests)
|
|
||||||
|
|
||||||
* Mon Apr 08 2013 Sandro Mani <manisandro@gmail.com> - 2.0.0-5.git93a488e
|
|
||||||
- Reenable tests on bigendian, add patches for #928927
|
|
||||||
|
|
||||||
* Sun Apr 07 2013 Sandro Mani <manisandro@gmail.com> - 2.0.0-4.git93a488e
|
|
||||||
- Update to latest git
|
|
||||||
- disable tests on bigendian (PPC*, S390*) until rhbz#928927 is fixed
|
|
||||||
|
|
||||||
* Fri Mar 22 2013 Sandro Mani <manisandro@gmail.com> - 2.0.0-3.gitde210a2
|
|
||||||
- python-pillow_tempfile.patch now upstream
|
|
||||||
- Add python3-imaging provides (bug #924867)
|
|
||||||
|
|
||||||
* Fri Mar 22 2013 Sandro Mani <manisandro@gmail.com> - 2.0.0-2.git2e88848
|
|
||||||
- Update to latest git
|
|
||||||
- Remove python-pillow-disable-test.patch, gcc is now fixed
|
|
||||||
- Add python-pillow_tempfile.patch to prevent a temporary file from getting packaged
|
|
||||||
|
|
||||||
* Tue Mar 19 2013 Sandro Mani <manisandro@gmail.com> - 2.0.0-1.git2f4207c
|
|
||||||
- Update to 2.0.0 git snapshot
|
|
||||||
- Enable python3 packages
|
|
||||||
- Add libwebp-devel BR for Pillow 2.0.0
|
|
||||||
|
|
||||||
* Wed Mar 13 2013 Peter Robinson <pbrobinson@fedoraproject.org> 1.7.8-6.20130305git
|
|
||||||
- Add ARM support
|
|
||||||
|
|
||||||
* Tue Mar 12 2013 Karsten Hopp <karsten@redhat.com> 1.7.8-5.20130305git
|
|
||||||
- add s390* and ppc* to arch detection
|
|
||||||
|
|
||||||
* Tue Mar 05 2013 Sandro Mani <manisandro@gmail.com> - 1.7.8-4.20130305git7866759
|
|
||||||
- Update to latest git snapshot
|
|
||||||
- 0001-Cast-hash-table-values-to-unsigned-long.patch now upstream
|
|
||||||
- Pillow-1.7.8-selftest.patch now upstream
|
|
||||||
|
|
||||||
* Mon Feb 25 2013 Sandro Mani <manisandro@gmail.com> - 1.7.8-3.20130210gite09ff61
|
|
||||||
- Really remove -fno-strict-aliasing
|
|
||||||
- Place comment on how to retreive source just above the Source0 line
|
|
||||||
|
|
||||||
* Mon Feb 18 2013 Sandro Mani <manisandro@gmail.com> - 1.7.8-2.20130210gite09ff61
|
|
||||||
- Rebuild without -fno-strict-aliasing
|
|
||||||
- Add patch for upstream issue #52
|
|
||||||
|
|
||||||
* Sun Feb 10 2013 Sandro Mani <manisandro@gmail.com> - 1.7.8-1.20130210gite09ff61
|
|
||||||
- Initial RPM package
|
|
1
dead.package
Normal file
1
dead.package
Normal file
@ -0,0 +1 @@
|
|||||||
|
python-pillow package is retired on branch c10s for BAKERY-412
|
Loading…
Reference in New Issue
Block a user